Workerd Secrets Encryption Question

I'm working on Workerd locally, and I've introduced a secret into my local config.capnp by adding a fromEnvironment binding. I've noticed I can find this binding using both ctx.secrets and ctx.var in the Rust SDK. Does Workerd apply encryption on secret variables, as wrangler does for the Cloudflare server-based environment? If yes, is there anywhere I can find more info on it such as encryption type or where it becomes decryped in my worker based on the Workerd source? Thank you!
8 Replies
Hello, I’m Allie!
As far as I can tell, they are decrypted during load, and then just piped into WorkerD as a regular environment variable
maccabee
maccabeeOP16mo ago
Is there a specific place in the workerd source I can find this?
Hello, I’m Allie!
No, I mean that that is done by an external service. All I can see is that the runtime only accepts regular env bindings, not secrets There might be some other code that decrypts it, but afaik that isn’t public
maccabee
maccabeeOP16mo ago
So this means that workerd only accepts plaintext bindings, correct? So if I used wrangler dev instead of a local workerd, and defined a secret in .dev.vars, that would be encrypted correct?
Hello, I’m Allie!
I wouldn't think so? .dev.vars is there to allow you to define variables that aren't in your wrangler config. But, since it runs locally, I wouldn't see why it would actually encrypt them, since to get the secret, you could just read the file.
maccabee
maccabeeOP16mo ago
Interesting, so I guess the only time your secrets are encrypted would be on cloudflares production environment?
Hello, I’m Allie!
Yes
maccabee
maccabeeOP16mo ago
Ok, thank you guys for all the information 🙂 !
Want results from more Discord servers?
Add your server