diff --git a/backend/services/mesh/mesh_secure_storage.py b/backend/services/mesh/mesh_secure_storage.py
index cd02e9f..349f77c 100644
--- a/backend/services/mesh/mesh_secure_storage.py
+++ b/backend/services/mesh/mesh_secure_storage.py
@@ -189,11 +189,28 @@ def _is_windows() -> bool:
     return os.name == "nt"
 
 
+def _is_docker_container() -> bool:
+    """Detect if we're running inside a Docker container."""
+    if os.path.isfile("/.dockerenv"):
+        return True
+    try:
+        with open("/proc/1/cgroup", "r") as f:
+            if "docker" in f.read():
+                return True
+    except OSError:
+        pass
+    return os.environ.get("container") == "docker"
+
+
 def _raw_fallback_allowed() -> bool:
     if _is_windows():
         return False
     if os.environ.get("PYTEST_CURRENT_TEST"):
         return True
+    # Docker containers have no DPAPI or native keyring — auto-allow raw
+    # fallback so that Wormhole secure storage works out of the box.
+    if _is_docker_container():
+        return True
     try:
         from services.config import get_settings