Explain Docker secrets management and best practices.

Docker secrets management protects sensitive data like passwords, API keys, certificates. Docker Swarm Secrets: echo "mypassword" | docker secret create db_password -, docker service create --secret db_password --env POSTGRES_PASSWORD_FILE=/run/secrets/db_password postgres. Best practices: 1) Never use environment variables for secrets, 2) Use external secret management (Vault, AWS Secrets Manager), 3) Rotate secrets regularly, 4) Limit secret access with RBAC, 5) Audit secret usage. External secrets example: SECRET=$(aws secretsmanager get-secret-value --secret-id prod/db/password --query SecretString --output text), docker run -e DB_PASSWORD="$SECRET" myapp.