Secrets
Secrets are named values managed by the orchestrator and referenced from modules. Agents never read the secret store: the orchestrator resolves references and sends already-substituted values, marked so agents treat them as sensitive.
Reference a secret in a module
Section titled “Reference a secret in a module”Write ${{ secrets.<name> }} wherever a value is needed. The orchestrator
substitutes it during expression evaluation, before the resource declaration
leaves the orchestrator:
resources: - id: app-env resource: file-unix: path: /etc/myapp/env content: | DATABASE_URL=${{ secrets.database_url }} mode: "0640"If a module references a secret that does not exist, resolution fails for every targeted agent and the apply is reported as an error — create the secret first.
Manage secrets
Section titled “Manage secrets”ordo secrets set database_url --file ./db-url.txt # or --value, or promptordo secrets list # metadata only, never valuesordo secrets get database_url # details, still no valueordo secrets remove database_urlWhat Ordo guarantees
Section titled “What Ordo guarantees”- Encrypted at rest. Secret values are encrypted in the orchestrator’s database with a dedicated encryption key, separate from the orchestrator’s identity key.
- Resolved server-side. The orchestrator holds the decryption capability and substitutes values before sending declarations. Agents receive resolved values and never access the store directly.
- Redacted everywhere. Resolved values are marked sensitive and redacted in
logs, plan output, and state reports. Redaction is whole-field — referencing a
secret inside a
scriptbody redacts the entire body. - Scoped. Restrict a secret to the agents that should receive it, by tag selection, node ID, or both. An unrestricted secret is available to any agent during state application.
ordo secrets set api_key --file ./key.txt --restrict-tags group=homeordo secrets set root_pw --file ./pw.txt --restrict-nodes <node-id>,<node-id>