Enterprise DC/OS Preview Updated: March 15, 2017

Use the Enterprise DC/OS Secret Store to secure sensitive information like private keys, API tokens, and database passwords. You can make these values available to authorized services launched by Marathon under environment variables.

DC/OS stores Secret Store data in ZooKeeper encrypted under an unseal key using the Advanced Encryption Standard (AES) algorithm in Galois Counter Mode (GCM). The Secret Store uses the unseal key to encrypt secrets before sending them to ZooKeeper and to decrypt secrets after receiving them from ZooKeeper. This ensures that secrets are encrypted both at rest and in transit. TLS provides an additional layer of encryption on the secrets in transit from ZooKeeper to the Secret Store.

The unseal key is encrypted under a public GPG key. Requests to the Secrets API return only the encrypted unseal key. When the Secret Store becomes sealed, either manually or due to a failure, the private GPG key must be used to decrypt the unseal key and unseal the Secret Store.

As a convenience, DC/OS automatically generates a new 4096-bit GPG keypair during the bootstrap sequence. It uses this keypair to initialize the Secret Store and stores the keypair in ZooKeeper.

If you wish to generate your own GPG keypair and store it in an alternate location, you can reinitialize the Secret Store with a custom GPG keypair.

The Secret Store is available in all security modes.

By default, you cannot store a secret larger than one megabyte. If you need to exceed this limit, contact Mesosphere support.

We do not support alternate or additional Secret Stores at this time. You should use only the default Secret Store provided by Mesosphere.

Refer to Logging for information on how to access the logs.

Creating secrets

About controlling access with secret paths Each secret must have a name. In addition to a name, you can include a path. Including a path allows you to restrict which services can a...

Configuring services to use secrets

About configuring services to use secrets To deploy an application that uses a secret, a user needs the permission to access Marathon and the permission to deploy services from wit...

Sealing the Secret Store

You may want to manually seal the Secret Store to protect its contents from an intruder. Sealed Secret Stores cannot be accessed from the web interface. Secret values cannot be ret...

Unsealing the Secret Store

About unsealing the Secret Store The Secret Store can become sealed under the following circumstances. After being manually sealed. After a power outage. A sealed Secret Store cann...

Secrets API

About the Secrets API The Secrets API allows you to manage secrets and perform some backend functions such as sealing and unsealing the Secret Store. It offers more functionality t...