Options for Storing Secrets
There are few secret-storage options that CircleCI can support at this time:
- You can store them as plaintext using Contexts resources (org-wide) or environment variables (job-specific), and then
echothem into files, etc., at job runtime via your config.yml
- You can encrypt files and store them in your source repository, but store the decryption keys in CircleCI, again either via Contexts or job environment variables, and then decrypt as-needed at job runtime
- You can use a third-party secret storage solution (for example, Hashicorp's Vault), so long as it has a headless CLI-accessible option that you can use in your CircleCI job (which Vault does)
For further questions or suggestions for your particular use-case, please contact CircleCI Support.