Secret Precedence
When secrets with the same name exist at different levels, they follow a strict precedence order:- User Secrets - Highest precedence
- Project Secrets - Middle precedence
- Organization Secrets - Lowest precedence
- User secrets override both project and organization secrets with the same name and mount
- Project secrets override organization secrets with the same name
- Organization secrets have the lowest priority
Encryption of Secrets
All secrets you create are protected with industry-standard encryption. Secrets can only be retrieved by environments created from your projects (for Project secrets) or your user (for User secrets). We useAES256-GCM to encrypt all secrets at rest in the database, with an additional layer of protection through AWS RDS encryption. This dual-layer approach ensures your sensitive data remains secure both at the application level and infrastructure level. In transit, all secrets are encrypted using TLS.
Ona employees do not have access to the encryption keys and cannot decrypt your secrets.
Secrets and environment lifecycle
Restarting an environment picks up updates to existing secrets but does not inject newly added secrets. To access a secret that was created after the environment was started, stop/delete the environment and create a new one.Using secrets during builds
Organization and project secrets are automatically available during Dev Container image builds via BuildKit secret mounts. No changes todevcontainer.json are needed. Your Dockerfile controls which RUN steps can access them using --mount=type=secret.
For setup instructions and examples, see Using secrets during builds.
Types of secrets
- Environment Variables - Key-value pairs injected into your environment
- Files - Entire files (certificates, config files) injected into your environment
- Container Registry Secrets - Authentication for private container registries