Hello @Andy Doan ,
Azure IoT (Edge) devices can create a secure connection using e.g. a connection string or an x509 certificate.
The docker credentials to non-public container repositories, used by edge devices are not managed by these device credentials.
Azure IoT edge devices, once the runtime starts and a secure connection is set up, will ask for a deployment manifest using an outbound connection.
This document (it's just a JSON structure) describes which Docker containers must be deployed on the device, which docker container create options must be used, any 'desired properties' assigned to each module.
The deployment manifest can also contain the credentials needed for one or more private registries:
The credentials are stored plain text in the deployment manifest but this manifest is not accessible once entered in the Azure IoT Device registration. Normally, this is automated with scripts so the chance of leaking credentials is minimal.
I can recommend this free learning path all about Azure IoT Edge.