Secrets

Enola manages “secrets” (e.g. API keys, other tokens, passwords, etc.) by delegating to an external secret manager. The following ones are currently supported:

1. pass: We recommend using this with GPG on a YubiKey that requires “touch” to decrypt secrets.
2. Insecure unencrypted plain text (YAML) file 😭

Support for other secret managers may be added in the future. Please open an issue if you need a specific one; like:

• GNOME Keyring
• KDE Wallet
• Support age (or rage), with passage; for TPM, SE and YubiKey
• macOS Keychain, on Apple’s Secure Enclave
• Cloud KMS (various)
• Windows

Which one is used is currently automatically determined. This may be made more configurable in the future.

We will not read “secrets” from environment variables, as this is not secure.