drasi-project · danielgerlag · May 21, 2026 · May 21, 2026
@@ -1642,3 +1642,11 @@ Shopify
 ns
 Handlebars
 Stripe
+ACI
+Hardcoded
+IntelliJ
+KDE
+Keychain
+Keyring
+keyring
+VMs
@@ -55,4 +55,13 @@ description: "Step-by-step instructions for configuring Drasi Server"
       </div>
     </div>
   </a>
+  <a href="configure-secret-stores/">
+    <div class="unified-card unified-card--howto">
+      <div class="unified-card-icon"><i class="fas fa-key"></i></div>
+      <div class="unified-card-content">
+        <h3 class="unified-card-title">Configure Secret Stores</h3>
+        <p class="unified-card-summary">Resolve passwords and tokens from external secret stores</p>
+      </div>
+    </div>
+  </a>
 </div>
@@ -22,6 +22,8 @@ related:
       url: "/drasi-server/how-to-guides/configuration/configure-reactions/"
     - title: "Configure Bootstrap Providers"
       url: "/drasi-server/how-to-guides/configuration/configure-bootstrap-providers/"
+    - title: "Configure Secret Stores"
+      url: "/drasi-server/how-to-guides/configuration/configure-secret-stores/"
     - title: "Install with Docker"
       url: "/drasi-server/how-to-guides/installation/install-with-docker/"
   reference:
@@ -99,6 +101,11 @@ stateStore:
   kind: redb
   path: ./data/state.redb
 
+# Secret store for resolving secret references (optional)
+# secretStore:
+#   kind: file
+#   path: ./secrets.json
+
 # Performance tuning (optional)
 # (if omitted, DrasiLib defaults are used)
 defaultPriorityQueueCapacity: 10000
@@ -146,6 +153,7 @@ Top-level settings in `server.yaml`:
 | `persistConfig` | boolean | `true` | Persist API changes back to the config file (if writable) |
 | `persistIndex` | boolean | `false` | Enable persistent indexes using RocksDB (stored under `./data/<instanceId>/index`) |
 | `stateStore` | object | None | Persist plugin state across restarts (see below) |
+| `secretStore` | object | None | Secret store provider for resolving secret references (see below) |
 | `defaultPriorityQueueCapacity` | integer | None | Default event queue capacity for queries/reactions (if set, overrides DrasiLib defaults) |
 | `defaultDispatchBufferCapacity` | integer | None | Default dispatch buffer capacity for sources/queries (if set, overrides DrasiLib defaults) |
 | `sources` | array | `[]` | Source plugin instances (see: Configure Sources) |
@@ -189,6 +197,43 @@ stateStore:
 
 If `stateStore` is not configured, an in-memory store is used and plugin state is lost on restart.
 
+## Secret Store Configuration
+
+The secret store enables you to keep sensitive values (passwords, API keys, tokens) out of your configuration file. Instead of embedding secrets as plaintext or relying solely on environment variables, you reference named secrets that are resolved at runtime from an external store.
+
+Configure a secret store by adding a `secretStore` field at the top level:
+
+```yaml
+secretStore:
+  kind: file
+  path: ./secrets.json
+```
+
+Then use **secret envelopes** in source or reaction configuration fields:
+
+```yaml
+sources:
+  - kind: postgres
+    id: my-db
+    password:
+      kind: Secret
+      name: DB_PASSWORD    # resolved from the secret store at runtime
+```
+
+Three providers are available:
+
+| Provider | `kind` | Use case |
+|----------|--------|----------|
+| File | `file` | Development/testing — reads from a JSON file |
+| OS Keyring | `keyring` | Local development — uses OS credential manager |
+| Azure Key Vault | `azure-keyvault` | Production on Azure — resolves from Key Vault |
+
+For full provider configuration details, see [Configure Secret Stores]({{< relref "configure-secret-stores" >}}).
+
+{{% alert title="Bootstrap constraint" color="info" %}}
+The `secretStore` configuration itself cannot use secret references (circular dependency). Use literal values or environment variables for the secret store's own fields.
+{{% /alert %}}
+
 ## Performance Tuning
 
 These settings control queue/buffer sizing in DrasiLib. They are most useful for high-throughput workloads or when you want to set consistent defaults across multiple queries/sources.
@@ -547,6 +592,10 @@ DB_PASSWORD=secret123
 
 For production, set environment variables through your deployment platform (Docker, systemd, etc.).
 
+{{% alert title="Tip: Secret stores" color="info" %}}
+For stronger secret management, consider using a [secret store]({{< relref "configure-secret-stores" >}}) instead of (or alongside) environment variables. Secret stores keep credentials in a dedicated vault and prevent them from appearing in environment variable dumps or process listings.
+{{% /alert %}}
+
 ### Separating Concerns with Multiple Config Files
 
 For complex deployments, consider organizing configs by environment: