I am looking for a way how to protect Let’s Encrypt keys by password (preferably) or somehow else. Why I ask: I start caddy in docker container with mounted volume for storing persistent caddy’s data like Lets’s Encrypt keys/certificates. As I see it, Docker volume is not a suitable way to store secret parameters. As I know, it’s recommended to manage sensitive data with Docker secrets. That’s why I see the next way to protect Let’s Encrypt keys: caddy receive password managed by Docker Secrets and encrypt Let’s Encrypt keys using it.
I think the focus should be on securing the volume with encryption. Encrypt the underlying Docker volume using LUKS (Linux Unified Key Setup) or a similar disk encryption service. When it needs to be unencrypted for Caddy to access, use the created password for it.