Skip to main content

Secrets Manager

The Secrets Manager lets you store key-value pairs and files securely in your NetActuate account and inject them into VMs at build time or retrieve them at runtime via API. This keeps sensitive values — API keys, tokens, passwords, SSL certificates, configuration files — out of your code repositories and automation templates.

Two Use Patterns

Build-Time Injection

Reference secrets in cloud-init scripts using the template variable syntax:

${{secret.KEY_NAME}}

NetActuate evaluates the variable during VM initialization and substitutes the real value. The secret is never hard-coded in your scripts or images.

Runtime API Retrieval

After a VM is running, it can call the NetActuate API to retrieve secrets without storing an API key on the VM. To enable this:

  1. Navigate to Account → API.
  2. Enable Allow VMs to authenticate.

This is an account-wide toggle. Once enabled, VMs identify themselves to the API automatically — no API key needs to be stored on the VM. This is particularly useful for stateless OS images like Talos and NixOS that use declarative configuration.

Secret Types

  • Key-value pair (string) — API keys, passwords, database connection strings, tokens, or any text value
  • File — SSL/TLS certificates, configuration files, or other binary content

Encryption

Secrets are encrypted at rest. NetActuate manages the encryption key. Customer-managed encryption keys are a planned future enhancement.

Organization

Secrets are organized into Secret Lists — named containers that hold one or more secrets. You first create a list, then add key-value pairs inside it. An account can have multiple lists, organized by environment, project, or team. Secret keys must be unique across the entire account, not just within a single list.

Managing Secrets

Navigate to Platform → Secrets to create and manage your secrets.

Secret Lists

The main secrets page shows all secret lists. From here you can create new lists or delete existing ones.

Inside a List

Click into a secret list to expand the secrets sidebar, which shows:

  • List identifier — useful for referencing the list in API calls and automation
  • List name — the display name of the list
  • Secret key-value pairs — all secrets stored in the list

Working with Secrets

  • Add a new secret — specify a key name and value, or import the value from a file (useful for SSL certificates and other file-based secrets)
  • View a secret — click the eye icon to reveal the secret value
  • Edit a secret — update the value of an existing secret
  • Delete a secret — remove an individual secret from the list
  • Delete a list — remove an entire secret list from the main secrets page

For a step-by-step walkthrough, see the How-To Guide. To manage secrets programmatically, see the Secrets API Reference.

Need Help?

Contact support@netactuate.com or open a support ticket from the portal.