Secrets
Use dpl secret for values that should not live in unit files.
Secrets are encrypted under:
<base>/secrets/The first dpl secret create command creates master.key.
Create a secret
Section titled “Create a secret”Interactive prompt:
dpl secret create db/app-passwordRead from stdin:
printf '%s' 's3cr3t' | dpl secret create db/app-password -Read from a file:
dpl secret create db/app-password ./password.txtIf you leave the interactive value empty, dpl generates a random 32-character value.
Use a secret
Section titled “Use a secret”runtime: env: API_TOKEN: ${secret:api-token}Database units also use secrets:
type: dbserver: db-mainuser: appsecret: db/app-passwordList, read, and remove secrets
Section titled “List, read, and remove secrets”dpl secret lsdpl secret cat db/app-passworddpl secret rm db/app-passwordSecurity note
Section titled “Security note”Secrets keep plaintext out of YAML files and source control.
They do not protect against a user with root access on the deploy host. The master key is stored next to the encrypted secret files. During deploy, dpl writes decrypted values into the files it generates on the host.