Secrets are used to work with confidential data in a secure way. Swarm secrets are secure at rest and in transit. That is, when a new secret is created on a manager node, and it can only be created on a manager node, its value is encrypted and stored in the raft consensus storage. This is why it is secure at rest. If a service gets a secret assigned to it, then the manager reads the secret from storage, decrypts it, and forwards it to all the containers who are instances of the Swarm service that requests the secret. Since the node-to-node communication in swarm is using mutual transport layer security (TLS), the secret value, although decrypted, is still secure in transit. The manager forwards the secret only to the worker nodes on which a service instance is running. Secrets are then mounted as files into the target container. Each secret corresponds to a file. The name of the secret will be the name of the file inside the container, and the value of the secret is the content of the respective file. Secrets are never stored on the filesystem of a worker node but are mounted using tmpFS into the container. By default, secrets are mounted into the container at /run/secrets, but you can change that to any custom folder.