Secrets
Secrets are encrypted key-value pairs for storing sensitive configuration — database passwords, API keys, tokens, and any other values your container needs that should not be stored in plaintext.
Creating a secret
A secret has:
| Field | Description |
|---|
| Handle | A unique identifier within the project (e.g. database-password). This becomes the environment variable name inside the container. |
| Value | The sensitive value to store (e.g. s3cr3t-p4ssword). Encrypted immediately on submission. |
How secret handles become environment variable names
The secret's handle is transformed into an environment variable name when injected into a container:
- Hyphens (
-) become underscores (_)
- The name is uppercased
Examples:
| Handle | Environment variable |
|---|
database-password | DATABASE_PASSWORD |
stripe-api-key | STRIPE_API_KEY |
redis-url | REDIS_URL |
Your application reads the value using the transformed name:
import os
db_password = os.environ['DATABASE_PASSWORD']
How secrets are stored
Secrets are encrypted using AES-256 before being stored. The plaintext value is never persisted anywhere in Bahriya's infrastructure — it is decrypted only at deployment time, inside a secure isolated environment, and applied directly to your running container.
Linking secrets to containers
Creating a secret does not automatically inject it into any container. You must explicitly link a secret to a container when creating or editing it. Only linked secrets are injected as environment variables.
A single secret can be linked to multiple containers within the same project.
Updating a secret value
You can update a secret's value at any time. The change does not take effect in running containers until the next deployment. To apply the new value immediately, trigger a redeployment by making any change to the container (or re-saving it without changes to force a deploy).
Deleting a secret
Deleting a secret removes it from Bahriya and from all regions. Before deleting, unlink it from any containers that reference it — those containers will fail on next deployment if they reference a secret that no longer exists.
Secrets vs plain environment variables
| Secrets | Plain env vars |
|---|
| Encrypted at rest | Yes | No |
| Visible in Bahriya console | No (value hidden) | Yes |
| Accessible to | Only containers linked to the secret | Any container in the project |
| Use for | Passwords, tokens, keys | Config, URLs, flags |
Use secrets for anything you wouldn't want visible in logs or your source code. Use plain environment variables for non-sensitive configuration.
