Secret management

Storing secrets safely in the Git repository.

When doing GitOps, user wants to use Git as a single source of truth. But storing credentials like Kubernetes Secret or Terraform’s credentials directly in Git is not safe. This feature helps you keep that sensitive information safely in Git, right next to your application manifests.

Basically, the flow will look like this:

  • user encrypts their secret data via the PipeCD’s Web UI and stores the encrypted data in Git
  • Piped decrypts them before doing deployment tasks


Before using this feature, Piped needs to be started with a key pair for secret encryption.

You can use the following command to generate a key pair:

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out private-key
openssl pkey -in private-key -pubout -out public-key

Then specify them while installing the Piped with these options:

--set-file \

Finally, enable this feature in Piped configuration file with secretManagement field as below:

kind: Piped
  pipedID: your-piped-id
    type: KEY_PAIR
      privateKeyFile: /etc/piped-secret/secret-private-key
      publicKeyFile: /etc/piped-secret/secret-public-key

Encrypting secret data

In order to encrypt the secret data, go to the application list page and click on the options icon at the right side of the application row, choose “Encrypt Secret” option. After that, input your secret data and click on “ENCRYPT” button. The encrypted data should be shown for you. Copy it to store in Git.

Application list page

The form for encrypting secret data

Storing encrypted secrets in Git

To make encrypted secrets available to an application, they must be specified in the application configuration file of that application.

  • encryptedSecrets contains a list of the encrypted secrets.
  • decryptionTargets contains a list of files that are using one of the encrypted secrets and should be decrypted by Piped.
# One of Piped defined app kind such as: KubernetesApp
      password: encrypted-data
      - secret.yaml

Accessing encrypted secrets

Any file in the application directory can use .encryptedSecrets context to access secrets you have encrypted and stored in the application configuration.

For example,

  • Accessing by a Kubernets Secret manfiest
apiVersion: v1
kind: Secret
  name: simple-sealed-secret
  password: "{{ .encryptedSecrets.password }}"
  • Configuring ENV variable of a Lambda function to use a encrypted secret
kind: LambdaFunction
  name: HelloFunction
    KEY: "{{ .encryptedSecrets.key }}"

In all cases, Piped will decrypt the encrypted secrets and render the decryption target files before using to handle any deployment tasks.


Last modified February 6, 2024: Release v0.46.0 (#4775) (49627aa0)