Options for Storing Secrets

There are few secret-storage options that CircleCI can support at this time:

• The most highly recommended option is to make use of an external secret storage tool with OIDC support (for example, Hashicorp's Vault)
  • Making use of OIDC within CircleCI to fetch or update these secrets minimises the risk of leaks and reduces the impact of potential bad actors.
• You can store them as plaintext using Contexts resources (org-wide) or environment variables (job-specific), and then echo them into files, etc., at job runtime via your config.yml
• You can encrypt files and store them in your source repository, but store the decryption keys in CircleCI, again either via Contexts or job environment variables, and then decrypt as-needed at job runtime.

For further questions or suggestions for your particular use-case, please contact CircleCI Support.