Skip to content

Secrets

Secrets are named values managed by the orchestrator and referenced from modules. Agents never read the secret store: the orchestrator resolves references and sends already-substituted values, marked so agents treat them as sensitive.

Write ${{ secrets.<name> }} wherever a value is needed. The orchestrator substitutes it during expression evaluation, before the resource declaration leaves the orchestrator:

resources:
- id: app-env
resource:
file-unix:
path: /etc/myapp/env
content: |
DATABASE_URL=${{ secrets.database_url }}
mode: "0640"

If a module references a secret that does not exist, resolution fails for every targeted agent and the apply is reported as an error — create the secret first.

Terminal window
ordo secrets set database_url --file ./db-url.txt # or --value, or prompt
ordo secrets list # metadata only, never values
ordo secrets get database_url # details, still no value
ordo secrets remove database_url
  • Encrypted at rest. Secret values are encrypted in the orchestrator’s database with a dedicated encryption key, separate from the orchestrator’s identity key.
  • Resolved server-side. The orchestrator holds the decryption capability and substitutes values before sending declarations. Agents receive resolved values and never access the store directly.
  • Redacted everywhere. Resolved values are marked sensitive and redacted in logs, plan output, and state reports. Redaction is whole-field — referencing a secret inside a script body redacts the entire body.
  • Scoped. Restrict a secret to the agents that should receive it, by tag selection, node ID, or both. An unrestricted secret is available to any agent during state application.
Terminal window
ordo secrets set api_key --file ./key.txt --restrict-tags group=home
ordo secrets set root_pw --file ./pw.txt --restrict-nodes <node-id>,<node-id>