Version 1.0.0
Language EN

Encrypted Secrets

Secrets can be encrypted using the command line utility and stored directly in your yaml configuraiton file. The drone server encrypts the secret with a per-repository 256-bit key using aesgcm encryption.

Example command encrypts the secret:

$ drone encrypt <repository> <secret>
$ drone encrypt secret octocat/hello-world top-secret-password
hl3v+FODjduX0UpXBHgYzPzVTppQblg51CVgCbgDk4U=

Example configuration with encrypted secrets:

kind: pipeline
name: default

steps:
- name: build
  image: alpine
  environment:
    USERNAME:
      from_secret: username
    PASSWORD:
      from_secret: password

---
kind: secret

data:
  username: hl3v+FODjduX0UpXBHgYzPzVTppQblg51CVgCbgDk4U=
  password: d37QyWi+E5FknFQN3ysygWmKx86L03Vk/rQV5g4pRiQ=

Pull Requests

Secrets are not exposed to pull requests by default. This prevents a bad actor from sending a pull request and attempting to expose your secrets. You can override this default behavior, at your own risk, with the following flags:

drone encrypt <repository> <secret> --allow-pull-request

Getting Help

Mailing List
Search for information in the mailing list archives, or post a question.
Chat Support
Real-time chat support from maintainers and community members.