Question: Adding Secrets to Already Encrypted Secrets File #1138
Comments
|
@cdunford I think the only possible way would be to split the secrets file into two, one with the key that only admins have access to, and another with the key everyone has access to. Not sure if this works with Another way would be to enhance This way, you don't need to re-encrypt the secrets file to add/remove a single secret. It doesn't support Azure KeyVault or a kind of secrets manager in Azure yet https://github.com/variantdev/vals#suported-backends so hopefully you could submit a pull request OR help me to implement/test the Azure provider for vals to support your usecase. |
|
I am using the multiple secrets files approach currently and it works fine. My use case doesn't actually involve different keys. It's the same key for all secrets, it's just no one has access to use the key in the vault to decrypt, they can just use it to encrypt. I wasn't aware of the other means to load secrets directly from the values. Is that documented somewhere (maybe I just missed it)? |
|
@cdunford It's available since #906 but it isn't documented yet.
Well then, I guess the only way would be to never decrypt/re-encrypt it. In other words, create a new secret file for each newly added secret value. |
I have a use case where it would be ideal if there was some way to add new secrets to an existing secrets file that is encrypted. I know this is possible by decrypting the file then adding and then re-encrypting, but I am using Azure Keyvault and many folks who may need to have access to add new secret values will not have access to use the key in the vault to decrypt, so they cannot decrypt and re-encrypt all of the secrets.
Is this somehow possible today?
The text was updated successfully, but these errors were encountered: