Secrets Encryption

By default, secrets are not encrypted and stored plain text (base64 encoded) in the underlying custom resource. You can configure Loft to encrypt the data of shared secrets by specifying an encryption key:

1. Make sure you have a valid Loft Enterprise subscription.

2. Edit your existing loft.yaml file or create a new file named loft.yaml with content:

   env:
     SECRETS_ENCRYPTION_KEY: "YOUR_ENCRYPTION_SECRET_KEY"

3. Set the $VERSION variable to the Loft version you want to upgrade to OR set it to the current version using:

   CHART=$(kubectl get service loft -n loft -o jsonpath={.metadata.labels.chart})
   VERSION=${CHART:5}

4. Upgrade Loft via:

   CLI

   To upgrade Loft via Loft CLI, run:

   loft start --upgrade --version=$VERSION --values=loft.yaml

   helm

   To upgrade Loft via helm, run:

   helm upgrade loft loft -n loft --repository-config '' --repo https://charts.loft.sh \
     --version $VERSION \
     --reuse-values \
     -f loft.yaml

Loss of Encryption Key

If you lose the encryption key, the secrets data cannot be recovered. You will have to manually delete all shared secrets via kubectl: kubectl delete sharedsecrets.storage.loft.sh -n loft --all