Skip to content

Creel

Secrets Management

Secrets Management

Secrets are encrypted at rest using age. The Python side uses pyrage for decryption.

Setup

# Generate an age key pair (one-time)
mkdir -p ~/.age
age-keygen -o ~/.age/key.txt 2> ~/.age/key.pub

Encrypting Secrets

# Encrypt a .env file
./scripts/encrypt-secret.sh secrets/anthropic.env

This produces secrets/anthropic.env.enc and deletes the plaintext file.

Key Location

The decryption key path defaults to ~/.age/key.txt. Override with the AGE_IDENTITY environment variable:

export AGE_IDENTITY=/path/to/key.txt

`.env` File Format

The .env format supports KEY=value, quoted values, and comments:

ANTHROPIC_API_KEY=sk-ant-...
GOOGLE_CREDENTIALS_JSON='{"refresh_token": "...", "client_id": "...", "client_secret": "..."}'

How Secrets Are Used

Task YAML files reference encrypted secrets: secrets: secrets/gcal.env.enc
At runtime, the orchestrator decrypts the file using the age key
Decrypted values are injected as environment variables into the executor process
The LLM never sees the decrypted secrets — only executors receive them