Skip to main content
Version: 3.0 (beta)

Secrets Encryption

By default, secrets are not encrypted and stored plain text (base64 encoded) in the underlying custom resource. You can configure Loft to encrypt the data of shared secrets by specifying an encryption key:

  1. Make sure you have a valid Loft Enterprise subscription.

  2. Edit your existing loft.yaml file or create a new file named loft.yaml with content:

    env:
    SECRETS_ENCRYPTION_KEY: "YOUR_ENCRYPTION_SECRET_KEY"
  3. Set the $VERSION variable to the Loft version you want to upgrade to OR set it to the current version using:

    CHART=$(kubectl get service loft -n loft -o jsonpath={.metadata.labels.chart})
    VERSION=${CHART:5}
  4. Upgrade Loft via:

    To upgrade Loft via Loft CLI, run:

    loft start --upgrade --version=$VERSION --values=loft.yaml
Loss of Encryption Key

If you lose the encryption key, the secrets data cannot be recovered. You will have to manually delete all shared secrets via kubectl: kubectl delete sharedsecrets.storage.loft.sh -n loft --all