If you’re using a single instance server (not Docker Swarm) and Docker Compose, but want to keep your secrets out of source control it’s not too bad. First, make sure you’re excluding “.env” in your .gitignore…

.env

Then, add your secrets to a .env file (file name must be exactly .env) in the same folder as your docker-compose.yml…

SEC_1=Something
SEC_2=SomethingElse

Then, be sure to expose your secrets in the “environment:” section of your docker-compose…

    environment:
      SEC_1: ${SEC_1}
      SEC_2: ${SEC_2}

Upload both the .env and docker-compose.yml to the server, and restart docker to pick up the env vars…

docker compose down
docker compose up -d

And finally, use the values in your PHP…

getenv('SEC_1')

Oh yeah, and since your .env won’t be in source control I’d still recommend finding a secure place to save it like a password manager.