Overview

Secrets in Gitpod allow you to securely store and inject sensitive data into your environments. These include API keys, access tokens, credentials, and certificates that your applications need but shouldn’t be exposed in your source code.

Secrets are configured at the project level and automatically made available to any environment launched from that project. This ensures consistent and secure access to sensitive data across your development workflow.

To manage secrets, navigate to the Project > Secrets tab. Here you can view all configured secrets and create new ones as needed.

​

Encryption of Secrets

All secrets you create are protected with industry-standard encryption. Once stored, only environments created from your projects can retrieve the secret values.

We use AES256-GCM to encrypt all secrets at rest in the database, with an additional layer of protection through AWS RDS encryption. This dual-layer approach ensures your sensitive data remains secure both at the application level and infrastructure level.

Gitpod employees do not have access to the encryption keys and cannot decrypt your secrets.

​

Types of Secrets

Gitpod supports multiple types of secrets to accommodate different needs:

• Environment Variables: Key-value pairs injected into your environment’s process space
• Files: Securely store and inject entire files into your environment
• Container Registry Secrets: Authentication credentials for private container registries

Each type of secret serves a specific purpose in your development workflow. Click the links above to learn more about how to use each type effectively.