Secrets can be encrypted using the command line utility and stored directly in your yaml configuraiton file. The drone server encrypts the secret with a per-repository 256-bit key using aesgcm encryption.
Example command encrypts the secret:
$ drone encrypt <repository> <secret>
$ drone encrypt secret octocat/hello-world top-secret-password hl3v+FODjduX0UpXBHgYzPzVTppQblg51CVgCbgDk4U=
Example configuration with encrypted secrets:
kind: pipeline name: default steps: - name: build image: alpine environment: USERNAME: from_secret: username --- kind: secret name: username data: hl3v+FODjduX0UpXBHgYzPzVTppQblg51CVgCbgDk4U= ...
Secrets are not exposed to pull requests that originate from forks. This prevents a bad actor from sending a pull request and attempting to expose your secrets.