# docker pass

**Description:** Manage your local OS keychain secrets.

**Usage:** `docker pass set|get|ls|rm`





> [!NOTE]
> **Experimental**
>
> This command is experimental. Experimental features are intended for testing and feedback as their functionality or design may change between releases without warning or can be removed entirely in a future release.





## Description

Docker Pass is a helper for securely storing secrets in your local OS keychain and injecting them into containers when needed. 
It uses platform-specific credential storage:

  - Windows: Windows Credential Manager API
  - macOS:   Keychain services API
  - Linux:   org.freedesktop.secrets API (requires DBus + gnome-keyring or kdewallet)

Secrets can be injected into running containers at runtime using the se:// URI scheme.




## Examples

### Using keychain secrets in containers

Create a secret:

```console
$ docker pass set GH_TOKEN=123456789
```

Create a secret from STDIN:

```console
echo "my_val" | docker pass set GH_TOKEN
```

Run a container that uses the secret:

```console
$ docker run -e GH_TOKEN= -dt --name demo busybox
```

Inspect the secret from inside the container:

```console
$ docker exec demo sh -c 'echo $GH_TOKEN'
123456789
```

Explicitly assign a secret to a different environment variable:

```console
$ docker run -e GITHUB_TOKEN=se://GH_TOKEN -dt --name demo busybox
```

### Using keychain secrets in Compose

Store the secrets:

```console
$ docker pass set myapp/anthropic/api-key=sk-ant-...
$ docker pass set myapp/postgres/password=s3cr3t
```

```yaml
services:
  api:
    image: service1
    environment:
      - ANTHROPIC_API_KEY=se://myapp/anthropic/api-key
      - POSTGRES_PASSWORD=se://myapp/postgres/password

  worker:
    image: service2
    command: worker
    environment:
      - ANTHROPIC_API_KEY=se://myapp/anthropic/api-key

  db:
    image: postgres:17
    environment:
      - POSTGRES_PASSWORD=se://myapp/postgres/password
```


## Subcommands

| Command | Description |
|---------|-------------|
| [`docker pass get`](https://docs.docker.com/reference/cli/docker/pass/get/) | Get a secret from a keystore. |
| [`docker pass ls`](https://docs.docker.com/reference/cli/docker/pass/ls/) | List all secrets from local keychain. |
| [`docker pass rm`](https://docs.docker.com/reference/cli/docker/pass/rm/) | Remove secrets from local keychain. |
| [`docker pass set`](https://docs.docker.com/reference/cli/docker/pass/set/) | Set a secret |