Secrets Management

Handling Secrets

varlock uses the term sensitive to describe any value that should not be committed to version control. This includes secrets, passwords, and other generally sensitive information.

Coming soon

We’ll be adding support for our own trustless, cloud-based secret storage in the very near future.

Using 3rd party tools

varlock is compatible with any 3rd party tool that supports fetching secrets via a CLI. With execfunction syntax, you can use any 3rd party tool to fetch secrets.

Here’s an example using 1Password:

# A secret in 1Password
# @sensitive @required
MY_SECRET=exec(`op read "op://devTest/myVault/credential"`);

This way no secrets are ever left in plaintext on your system, even if they are gitignored.