Encrypted secrets are used to store sensitive information, such as passwords, tokens, and ssh keys directly in your configuration file as an encrypted string. Each secret is represented as a yaml document in your configuration file.
You can use the command line tools to encrypt secrets. Each secret is encrypted with a per-repository encryption key using aesgcm. This key never leaves the server environment.
Example command to encrypt the secret:
$ drone encrypt <repository> <secret>
$ drone encrypt secret octocat/hello-world top-secret-password hl3v+FODjduX0UpXBHgYzPzVTppQblg51CVgCbgDk4U=
Example configuration with encrypted secrets:
Secrets are not exposed to pull requests that originate from forks. This prevents a bad actor from sending a pull request and attempting to expose your secrets.