Similar to sops, eyaml or Kubernetes sealed secrets, Stacks gives you the ability to write down encrypted secrets directly in your configuration.
First, if you don't have a public key already, generate a key pair as described in the last section of this document.
Then use your public key to encrypt the secret:
$ stacks encrypt --public-key-path path/to/public.pem -- 'mysecr3t' # the "--" before your secret is only required if your secret begins with "--", so Stacks doesn't parse it as a non-existent flag, but it doesn't hurt to always use it
ENC[l42kj562...v349120j]The ENC[l4...0j] output is your encrypted secret.
Finally, copy your encrypted secret anywhere you wish to use it:
# environments/production/env.tfvars
aws_secret_access_key = "ENC[l42kj562...v349120j]"Note: only string values can be encrypted, and they must be fed to Stacks via *.tfvars variables (i.e. you cannot use them directly in resource attributes).
To use your encrypted secrets, all you need to do is set the STACKS_PRIVATE_KEY_PATH environment variable to point to your private key, and then run Stacks normally.
Note: this implies you can only use one key pair to encrypt/decrypt all the secrets of your running layer.
Here's how you can consult the value of an encrypted secret (you'll need your private key):
$ stacks decrypt --private-key-path path/to/private.pem 'ENC[l42kj562...v349120j]'
mysecr3tThe mysecr3t output is your decrypted secret.
- Run
stacks genkey --public-key-path public.pem --private-key-path private.pem. - Store
private.pemin a safe place. Make sure to exclude it from version control!