Updated 2 years ago by Admin

Encrypted secrets are used to store sensitive information, such as passwords, tokens, and ssh keys directly in your configuration file as an encrypted string. Each secret is represented as a yaml document in your configuration file.

You can use the command line tools to encrypt secrets. Each secret is encrypted with a per-repository encryption key using aesgcm. This key never leaves the server environment.

Example command to encrypt the secret:

$ drone encrypt <repository> <secret>

$ drone encrypt octocat/hello-world top-secret-password

Example configuration with encrypted secrets:

1  kind: pipeline
2 name: default
4 steps:
5 - name: build
6 image: alpine
7 environment:
9 from_secret: username
11 ---
12 kind: secret
13 name: username
14 data: hl3v+FODjduX0UpXBHgYzPzVTppQblg51CVgCbgDk4U=
16 ...

Pull Requests

Secrets are not exposed to pull requests that originate from forks. This prevents a bad actor from sending a pull request and attempting to expose your secrets.

How did we do?