Version 1.0.0
Language EN

Encrypted Secrets

Secrets can be encrypted using the command line utility and stored directly in your yaml configuraiton file. The drone server encrypts the secret with a per-repository 256-bit key using aesgcm encryption.

Example command encrypts the secret:

$ drone encrypt <repository> <secret>
$ drone encrypt secret octocat/hello-world top-secret-password

Example configuration with encrypted secrets:

kind: pipeline
name: default

- name: build
  image: alpine
      from_secret: username
      from_secret: password

kind: secret

  username: hl3v+FODjduX0UpXBHgYzPzVTppQblg51CVgCbgDk4U=
  password: d37QyWi+E5FknFQN3ysygWmKx86L03Vk/rQV5g4pRiQ=

Pull Requests

Secrets are not exposed to pull requests by default. This prevents a bad actor from sending a pull request and attempting to expose your secrets. You can override this default behavior, at your own risk, with the following flags:

drone encrypt <repository> <secret> --allow-pull-request

Getting Help

Mailing List
Search for information in the mailing list archives, or post a question.
Chat Support
Real-time chat support from maintainers and community members.