Secrets Management
Where secrets live and how they are handled safely.
Storage Locations
- Global env file:
~/ravenhelm/secrets/.env - Service env files:
~/ravenhelm/services/<service>/.env - Vault (OpenBao):
https://vault.ravenhelm.dev
Practices
- Never commit secrets to git.
- Use
chmod 600on secret files. - Rotate credentials regularly (database, OAuth, API keys).
- Prefer short-lived tokens where possible.
OpenBao Notes
OpenBao provides a centralized secrets store and encryption services for applications that support it.
Related
- Operations/Secrets - Operational runbook
- Security/Hardening