CircleCI icon

Keep CircleCI Secrets
Safe and In Sync

Use the orb to securely load secrets into CircleCI jobs with just a few lines of code.

secrethub/cli@1.0.0 CircleCI Partner Badge View Orb

Good CI/CD Deserves Good Secret Management

Every CI/CD pipeline needs secrets to connect to other services, but you don’t want to expose secrets in logs, manually enter them in a GUI, or have jobs failing due to configuration errors.

The Solution

Replace secret values with reference tags

Collect all secrets from your CircleCI environment and use the SecretHub CLI to safely store them in a centralized location.


Simply add secrethub:// reference tags to your job in either your .circleci/config.yml file or in CircleCI Contexts, to automatically load secrets at runtime:

Git icon

A single source of truth, codified and version controlled

  • No hidden pipeline dependencies: secrets explicitly declared in the same file as the job
  • No more manually syncing the CircleCI Environment Variables GUI
  • Easier pipeline development because secret definitions can be branched too
CircleCI log UI with AWS_SECRET_ACCESS_KEY value masked

Prevent accidents and leaks

  • Scope secrets to a single command or job, instead of the entire CircleCI config
  • All secret values are automatically masked from log output
Audit log of a CircleCI job loading a Docker password

Control & monitor when your CircleCI job reads secrets

Every time your CircleCI job starts, secret reads gets recorded on the audit log. Restrict access to only the secrets it needs and know that you can revoke access with a single command.

CircleCI orb

secrethub/cli@1.0.0 CircleCI Partner Badge View Orb

Why SecretHub?

  • All secrets are end-to-end encrypted, access controlled, and auditable
  • A single source of truth to keep all systems, apps, and services in sync
  • No operations and maintenance overhead in hosting a complex secret server

Unify secret management
across all software delivery phases

You don't have to reinvent the wheel for every platform that needs to consume secrets. Use a single tool to keep secrets safe and in sync across your entire stack.