Configuration

Environment variables or Compose secrets?

Separate ordinary configuration from credentials, tokens, and private keys before sharing or committing a Compose project.

Best fit

Environment variables

Non-sensitive, changeable application configuration such as hostnames, ports, feature settings, and deployment mode.

  • • Precedence and interpolation must be understood.
  • • Values can be exposed more broadly to processes.
  • • Do not treat an env file as a universal secret boundary.

Best fit

Compose secrets

Credentials, tokens, certificates, and other sensitive values that should be granted only to the services that need them.

  • • Application images need to support the expected secret-file path.
  • • Secret files still need host access controls.
  • • Upstream app documentation decides the final integration method.

Decision rule

Classify each value by sensitivity first. Use ordinary configuration for non-sensitive settings and the least-broad supported secret mechanism for credentials.

Build the deployment blueprint

Sources and scope

Last reviewed 2026-07-13. This page separates the decision it supports from the facts that still require a platform or model-specific check.