Version 1.0.0
Language EN

Encrypted Secrets

Secrets can be encrypted using the command line utility and stored directly in your yaml configuraiton file. The drone server encrypts the secret with a per-repository 256-bit key using aesgcm encryption.

Example command encrypts the secret:

$ drone encrypt <repository> <secret>
$ drone encrypt secret octocat/hello-world top-secret-password
hl3v+FODjduX0UpXBHgYzPzVTppQblg51CVgCbgDk4U=

Example configuration with encrypted secrets:

kind: pipeline
name: default

steps:
- name: build
  image: alpine
  environment:
    USERNAME:
      from_secret: username

---
kind: secret
name: username
data: hl3v+FODjduX0UpXBHgYzPzVTppQblg51CVgCbgDk4U=

...

Pull Requests

Secrets are not exposed to pull requests that originate from forks. This prevents a bad actor from sending a pull request and attempting to expose your secrets.

Getting Help

Mailing List
Search for information in the mailing list archives, or post a question.
Chat Support
Real-time chat support from maintainers and community members.