Use the DC/OS Enterprise Secret Store to secure sensitive information like private keys, API tokens, and database passwords. You can make these values available to authorized services launched by Marathon under environment variables.
DC/OS stores Secret Store data in ZooKeeper encrypted under an unseal key using the Advanced Encryption Standard (AES) algorithm in Galois Counter Mode (GCM). The Secret Store uses the unseal key to encrypt secrets before sending them to ZooKeeper and to decrypt secrets after receiving them from ZooKeeper. This ensures that secrets are encrypted both at rest and in transit. TLS provides an additional layer of encryption on the secrets in transit from ZooKeeper to the Secret Store.
The unseal key is encrypted under a public GPG key. Requests to the Secrets API return only the encrypted unseal key. When the Secret Store becomes sealed, either manually or due to a failure, the private GPG key must be used to decrypt the unseal key and unseal the Secret Store.
As a convenience, DC/OS automatically generates a new 4096-bit GPG keypair during the bootstrap sequence. It uses this keypair to initialize the Secret Store and stores the keypair in ZooKeeper.
The Secret Store is available in all security modes.
By default, you cannot store a secret larger than one megabyte. If you need to exceed this limit, contact Mesosphere support.
We do not support alternate or additional Secret Stores at this time. You should use only the
default Secret Store provided by Mesosphere.
Refer to Logging for information on how to access the logs.
Each secret must have a name. In addition to a name, you can include a path. Including a path allows you to restrict which services can access the secret. If you just provide a name and no path, all services will have access. The following table provides some examples to show how it works.…Read More
Configuring services to use secrets
To deploy an application that uses a secret, a user needs the permission to access Marathon and the permission to deploy services from within the designated service group.…Read More
Sealing the Secret Store
You may want to manually seal the Secret Store to protect its contents from an intruder.…Read More
Unsealing the Secret Store
The Secret Store can become sealed under the following circumstances.…Read More
Reinitializing the Secret Store with a custom GPG keypair
The Secrets API allows you to manage secrets and perform some backend functions such as sealing and unsealing the Secret Store. It offers more functionality than the DC/OS web interface.…Read More