create secret

Create a new secret

Synopsis

Create

This command allows for the storage of sensitive information within torero. Currently, the only secrets that torero utilizes are private repository ssh keys.

torero's secrets manager leverages asymmetrical encryption which only keeps the encrypted secret stored within the database. It is important to understand that a unique encryption file must be used to encrypt and decrypt any secrets. If the secrets encryption file is lost, there is no way to recover any stored secrets.

Generating Your Encryption Key File

First you will need to generate a robust, random encryption key. The method shown below is one such option.

>_ openssl rand -base64 256 > /Users/torerouser/.torero.d/torero_secret.key

For improved security, also run

>_ chmod 400 /somedir/my_private.key

Pointing torero To Your Encryption Key File Once the file is created, you can let torero know of its location in two ways

1. Command line

When initially setting up secrets within torero using torero create secret and torero describe secret, you can use the --encryption-file flag.

1. Configuration Variables

The --encryption-file flag should only be used when first setting up secrets. torero will need to permanently know of the encryption file to run services that require stored secrets. You can permanently set the configuration variable for encryption keys as you would for all other configuration options. By setting an environment variable (TORERO_SECRETS_ENCRYPT_KEY_FILE) or via your torero configuration file.

[secrets]
encrypt_key_file = /Users/torerouser/.torero.d/torero_secret.key

torero create secret <secret-name> --value <string-or-file> [flags]

Examples

Create A Secret Via The Encryption File Flag

Creates a secret called my-secret that encrypts the literal text sensitive data. Tells torero to encrypt the secret using the file referenced by --encryption-file.

>_ torero create secret my-secret \
--value "sensitive data" \
--encryption-file /Users/torerouser/.torero.d/torero_secret.key

Create A Secret Via Encryption File Configuration Var

Creates a secret called my-secret that encrypts the literal text sensitive data. This command assumes that you have previously set the configuration variable TORERO_SECRETS_ENCRYPT_KEY_FILE.

>_ torero create secret my-secret \
--value "sensitive data"

Create A Secret From A File Via Encryption File Configuration Var

Creates a secret called git-key that encrypts the file /Users/torerouser/.ssh/torero_git_rsa via the @ symbol syntax. This command assumes that you have previously set the configuration variable TORERO_SECRETS_ENCRYPT_KEY_FILE.

>_ torero create secret git-key \
--value @/Users/torerouser/.ssh/torero_git_rsa

Options

      --description string       A brief description of the service
      --encryption-file string   The file to use for the encryption of the secret. This secret will be stored in
                                 the torero server encrypted and clients and runners will need the encryption
                                 file for decryption. (default "/etc/torero/torero_secret.key")
  -h, --help                     help for secret
      --tag stringArray          Metadata tag(s) to associate with the service
      --value string             The secret value that will be created

Options inherited from parent commands

      --config string   Path to the configuration file
      --raw             Displays the result of the command in its raw format
      --verbose         Enable verbose output

SEE ALSO

• torero create - Create a resource