sbx: document Linux keychain fallback for headless hosts

[dvdksn]

Summary

On Linux hosts without a running Secret Service (headless servers, some WSL setups), sbx falls back to an encrypted on-disk store instead of the OS keychain. This documents where secrets are stored per platform in the credentials page and adds a headless-Linux FAQ entry.

Note

This documents behavior from the unreleased PR docker/sandboxes#3231. Hold merge until that change ships. Opened as a draft for that reason.

Learnings

• Origin of this change is a Slack thread, not a GitHub issue, so there's no Closes # linkage.

Generated by Claude Code

[netlify]

✅ Deploy Preview for docsdocker ready!

Name	Link
🔨 Latest commit	ae4fa30
🔍 Latest deploy log	https://app.netlify.com/projects/docsdocker/deploys/6a1fe6bf48f09d0008178fd1
😎 Deploy Preview	https://deploy-preview-25232--docsdocker.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[docker-agent]

Assessment: 🟢 APPROVE

The added content is well-structured and clearly documents the Linux keychain fallback behavior. No critical issues found — no vendored content, no missing redirects, no broken commands or incorrect facts. Cross-linking between faq.md and credentials.md uses correct relative paths and anchor fragments. Only minor style-guide items noted below.

[akristen]

non-blocking nit: but our faq docs titles tend to be the plural faqs rather than faq.

[dvdksn]

@akristen thanks! The bot's two style nits are addressed in 068f346 (dropped parentheses, made the per-OS list parallel).

On the faq vs faqs title: this page pre-dates this PR — it already ships as sandboxes/faq.md with title: FAQ, and I only added a section to it. Renaming the title/slug would change the published URL and is unrelated to the keychain change, so I'd rather keep it out of this PR to stay scoped.

[docker-agent]

Assessment: 🟢 APPROVE

The PR is well-scoped and clearly written. It adds a new FAQ entry and a "Where secrets are stored" section to the credentials page, both documenting the Linux encrypted-file fallback when no Secret Service is running. The writing is clean — no hedge words, no meta-commentary, no marketing language. No structural or Hugo issues found.

Three minor style suggestions are left as inline comments (low-severity only).

[docker-agent]

Assessment: 🟡 NEEDS ATTENTION

One path accuracy concern found in the new content across both changed files. The overall writing is clean, well-scoped, and follows the style guide.

[docker-agent]

[LIKELY HIGH] Linux fallback path may use the wrong namespace

Both new sections document the Linux credential fallback path as $XDG_CONFIG_HOME/com.docker.sandboxes (defaulting to ~/.config/com.docker.sandboxes), but every other Linux XDG path in the project uses the namespace sandboxes — not com.docker.sandboxes. For example, troubleshooting.md shows:

~/.local/state/sandboxes/
~/.cache/sandboxes/
~/.config/sandboxes/

The com.docker.sandboxes naming is macOS convention (reverse-DNS Application Support directories). If the actual Linux on-disk path is ~/.config/sandboxes/ (consistent with all other Linux paths), the documentation would mislead users looking for the encrypted fallback file.

Please confirm the correct path against the implementation in docker/sandboxes#3231.

[docker-agent]

[LIKELY HIGH] Linux fallback path may use the wrong namespace

Same issue as above: $XDG_CONFIG_HOME/com.docker.sandboxes (defaulting to ~/.config/com.docker.sandboxes) does not match the Linux XDG namespace pattern used elsewhere in the docs (sandboxes, not com.docker.sandboxes). If the actual path is ~/.config/sandboxes/, users following this documentation won't find the file.