Encrypted secrets are used to store sensitive information, such as passwords, tokens, and ssh keys directly in your configuration file as an encrypted string. Each secret is represented as a yaml document in your configuration file.
You can use the command line tools to encrypt secrets. Each secret is encrypted with a per-repository encryption key using aesgcm. This key never leaves the server environment.
Example command to encrypt the secret:
$ drone encrypt <repository> <secret>
$ drone encrypt octocat/hello-world top-secret-password
Example configuration with encrypted secrets:
1 kind: pipeline
2 name: default
5 - name: build
6 image: alpine
9 from_secret: username
12 kind: secret
13 name: username
14 data: hl3v+FODjduX0UpXBHgYzPzVTppQblg51CVgCbgDk4U=
Secrets are not exposed to pull requests that originate from forks. This prevents a bad actor from sending a pull request and attempting to expose your secrets.