DarkDuck encrypts secrets at rest using a local master key. Agent environment variables that contain sensitive values (API keys, tokens) are stored as encrypted secret references.

Default Provider: local_encrypted

Secrets are encrypted with a local master key stored at: 
~/.darkduck/instances/default/secrets/master.key
This key is auto-created during onboarding. The key never leaves your machine.
If you lose the master key, all encrypted secrets become unrecoverable. Back up the key file when deploying to production.

Configuration

CLI Setup

Onboarding writes default secrets config: 
pnpm darkduck onboard
Update secrets settings: 
pnpm darkduck configure --section secrets
Validate secrets config: 
pnpm darkduck doctor

Environment Overrides

VariableDescription
DARKDUCK_SECRETS_MASTER_KEY32-byte key as base64, hex, or raw string
DARKDUCK_SECRETS_MASTER_KEY_FILECustom key file path
DARKDUCK_SECRETS_STRICT_MODESet to true to enforce secret refs

Strict Mode

When strict mode is enabled, sensitive env keys (matching *_API_KEY, *_TOKEN, *_SECRET) must use secret references instead of inline plain values. 
DARKDUCK_SECRETS_STRICT_MODE=true
Strict mode is recommended for any deployment beyond local trusted. It prevents accidental exposure of sensitive values in agent configuration.

Secret References in Agent Config

Agent environment variables use secret references instead of plain values: 
{
  "env": {
    "ANTHROPIC_API_KEY": {
      "type": "secret_ref",
      "secretId": "8f884973-c29b-44e4-8ea3-6413437f8081",
      "version": "latest"
    }
  }
}
The server resolves and decrypts these at runtime, injecting the real value into the agent process environment. The decrypted value is never stored in logs or exposed through the API.

Migrating Inline Secrets

If you have existing agents with inline API keys in their config, migrate them to encrypted secret refs: 
pnpm secrets:migrate-inline-env         # dry run
pnpm secrets:migrate-inline-env --apply # apply migration
Run the dry run first to see what would be migrated. The migration identifies sensitive patterns like *_API_KEY and *_TOKEN and converts them to encrypted secret references.

Secret Versioning

When you update a secret’s value, DarkDuck creates a new version. Agents referencing "version": "latest" automatically get the new value on their next heartbeat. 
PATCH /api/secrets/{secretId}
{ "value": "sk-ant-new-value..." }
Previous versions are retained for audit purposes but are not accessible through the API.