logo

Secrets Management

Overview

Secrets in Swiftor are encrypted environment variables accessible within your VMs. Use them to store sensitive data like API keys, passwords, and tokens securely.

Wizard Overview

Managing Secrets

Adding Secrets

The secrets manager shows a table with all your VM secrets:

ColumnDescription
VMTarget virtual machine
KeyEnvironment variable name
ValueSecret value (encrypted)
ActionsCopy/Delete options

[gif: Adding a new secret]

Bulk Import

Use the JSON editor for bulk secret management:

json
{
  "vm-id": {
    "API_KEY": "your-api-key",
    "DB_PASSWORD": "database-password",
    "JWT_SECRET": "jwt-secret-key"
  }
}

JSON Format

Each VM can have multiple key-value pairs. All values must be strings.

Accessing Secrets

Your secrets are available as environment variables inside the VM. Here's how to access them in different languages:

Bash

bash
# Read API key
echo $API_KEY

# Use in commands
curl -H "Authorization: Bearer $API_KEY" https://api.example.com

Python

python
import os

# Get single secret
api_key = os.getenv('API_KEY')

# Get multiple secrets
config = {
    'db_user': os.getenv('DB_USER'),
    'db_pass': os.getenv('DB_PASSWORD')
}

JavaScript/Node.js

javascript
// Access secrets
const apiKey = process.env.API_KEY;
const dbConfig = {
  user: process.env.DB_USER,
  password: process.env.DB_PASSWORD
};

Security Notes

Security Considerations

  • Secrets are encrypted at rest
  • Only accessible within the VM
  • Not visible in VM logs
  • Automatically rotated on VM rebuild

Common Use Cases

API Configuration

yaml
API_KEY: your-api-key
API_SECRET: your-api-secret
API_ENDPOINT: https://api.service.com

Database Credentials

yaml
DB_HOST: database.host
DB_USER: admin
DB_PASSWORD: secure-password

JWT Authentication

yaml
JWT_SECRET: your-jwt-secret
JWT_EXPIRY: 24h

Best Practices

  • Use clear, descriptive key names
  • One secret per value
  • Rotate secrets regularly
  • Keep track of which VMs use which secrets

Additional Capabilities

Secrets enable the use of Docker Mods, which are tarballs of files stored on Dockerhub and/or Github Container Registry. These mods are downloaded and extracted on container boot before any init logic is run.

A Docker Mod can be specified as a single endpoint in the format user/endpoint:tag, or as an array of endpoints separated by |, such as user/endpoint:tag|user2/endpoint2:tag.

Useful Use Cases:

Preinstalling Nodejs and NPM

To preinstall Nodejs and NPM, set DOCKER_MODS=linuxserver/mods:code-server-nodejs|linuxserver/mods:code-server-npmglobal. The NODEJS_MOD_VERSION can be set to 16, 18, or 20, with a minimum of 16 and a default of 16.

Mods List

ImageContainer Mods
calibre-webcalibre dtrpg-metadata kcc
code-serverawscli docker docker-in-docker dotnet extension-arguments flutter golang java11 julia nodejs npmglobal nvm php php8 php-cli pnpm powershell prolog python3 python3-poetry r ros2 rust scikit-learn shellcheck ssl svn terraform zsh
embymediainfo-plugin
firefoxfonts
homeassistanthacs
jellyfinamd opencl-intel rffmpeg
lazylibrariancalibre ffmpeg
lidarrflac2mp3
netboxslurpit
nextcloudmediadc memories notify-push
nginxauto-reload crowdsec imagemagick ioncube proxy-confs
openssh-serverautossh git rsync ssh-tunnel
openvscode-serverawscli docker docker-in-docker dotnet extension-arguments flutter golang java11 julia nodejs npmglobal nvm php php8 php-cli pnpm powershell prolog python3 python3-poetry r ros2 rust scikit-learn shellcheck ssl svn terraform zsh
plexabsolute-hama audnexus
projectsendtranslations
radarrstriptracks
sonarrstriptracks
swagauto-proxy auto-reload auto-uptime-kuma cloudflare-real-ip crowdsec dashboard dbip ffmpeg geoip2influx imagemagick ioncube maxmind
transmissionenv-var-settings floodui transmissionic transmission-web-control trguing
universalapprise calibre cloudflared cron docker docker-in-docker git internationalization package-install stdout-logs tshoot unrar6