Secrets¶
Encrypted store for SSH keys, API tokens, passwords, certificates, and cloud credentials. Referenced by name from server records and custom HTTP tools.
Route: /secrets
Role gating: read for all; create / delete require admin.
Storage model¶
Secrets are encrypted at rest using AES-256-GCM with the platform-wide
OREMEDY_ENCRYPTION_KEY. The encryption key never appears in the
database; it is loaded from the environment at boot and validated to be
exactly 32 bytes of hex.
Secret types¶
| Type | Use case |
|---|---|
ssh_key |
SSH private key for server access |
api_token |
Bearer / API token for external services |
password |
Generic password credential |
certificate |
TLS/PEM certificate material |
cloud_credential |
Cloud provider credentials (AWS, GCP, Azure, etc.) |
The value is stored as a single encrypted blob. Type-specific fields are not split out server-side — the type label drives UI hints only.
Table columns¶
- Name.
- Type.
- Value (masked — value is never shown after creation).
- Created timestamp.
- Delete button.
Actions¶
- Add Secret — modal collects name, type, and the credential value. Values are write-once: the raw value is never displayed after creation.
- Delete. Cascades to references; servers and tools that referenced the secret will fail their next operation until reassigned.
Related routes¶
servers.md— server records reference SSH secretstools.md— custom HTTP tools may reference bearer / API key secrets