docs: Document rofl secret and update deploy

matevz · matevz · commit c2132e522b45 · 2025-06-13T14:12:30.000+02:00
diff --git a/docs/rofl.md b/docs/rofl.md
@@ -99,32 +99,60 @@ chapter for details.
 [ROFL Prerequisites]: https://github.com/oasisprotocol/oasis-sdk/blob/main/docs/rofl/prerequisites.md
 [npa]: ./account.md#npa
 
-## Update ROFL app config {#update}
-
-Use `rofl update` command to update the ROFL app's configuration on chain:
+## Secrets management {#secret}
 
-![code shell](../examples/rofl/update.in.static)
+### `set` {#secret-set}
 
-![code shell](../examples/rofl/update.out.static)
+Run `rofl secret set <secret_name> <filename>|-` command to end-to-end encrypt a
+secret with a key derived from the selected deployment network and store it to
+the manifest file.
 
-## Remove ROFL app from the network {#remove}
+If you have your secret in a file, run:
 
-Run `rofl remove` to deregister your ROFL app:
+![code shell](../examples/rofl/secret-set-file.in.static)
 
-![code shell](../examples/rofl/remove.in.static)
+You can also feed the secret from a standard input like this:
 
-![code](../examples/rofl/remove.out.static)
+![code shell](../examples/rofl/secret-set-stdin.in.static)
 
-The deposit required to register the ROFL app will be returned to the current
-administrator account.
+Once the secret is encrypted and stored, **there is no way of obtaining it back
+again apart from within the TEE on the designated ROFL deployment**.
 
-:::danger Secrets will be permanently lost
+:::danger Shells store history
 
-All secrets stored on-chain will be permanently lost when the ROFL app will be
-deregistered.
+Passing secrets as a command line argument will store them in your shell history
+file as well! Use it for testing only. In production, always use file-based
+secrets.
 
 :::
 
+### `get` {#secret-get}
+
+Run `rofl secret get <secret-name>` to check, whether the secret exists in your
+manifest file.
+
+![code shell](../examples/rofl/secret-get.in.static)
+
+![code](../examples/rofl/secret-get.out.static)
+
+### `rm` {#secret-rm}
+
+Run `rofl secret rm <secret-name>` to remove the secret from your manifest file.
+
+![code shell](../examples/rofl/secret-rm.in.static)
+
+## Update ROFL app config {#update}
+
+Use `rofl update` command to push the ROFL app's configuration to the chain:
+
+![code shell](../examples/rofl/update.in.static)
+
+![code shell](../examples/rofl/update.out.static)
+
+The current on-chain policy, metadata and secrets will be replaced with the ones
+in the manifest file. Keep in mind that ROFL replicas need to be restarted in
+order for changes to take effect.
+
 ## Show ROFL information {#show}
 
 Run `rofl show` to obtain the information from the network on the ROFL admin
@@ -136,10 +164,38 @@ account, staked amount, current ROFL policy and running instances:
 
 ## Deploy ROFL app {#deploy}
 
-Run `rofl deploy` to automatically deploy your app to the provider on-chain.
+Run `rofl deploy` to automatically deploy your app to a machine obtained from
+the [ROFL marketplace]. If a machine is already hosting your ROFL app a new
+version will be deployed there. If no machines are rented yet, you can use the
+following arguments to select a specific provider and offer:
+
+- `--provider <address>` specifies the provider to rent the machine from. On
+  Sapphire Testnet, the Oasis-managed provider will be selected by default.
+- `--offer <offer_name>` specifies the offer of the machine to rent. Run
+  `--show-offers` to obtain offer names and specifications.
+
+[ROFL marketplace]: https://github.com/oasisprotocol/oasis-sdk/blob/main/docs/rofl/features/marketplace.mdx
 
 ## Advanced
 
+### Remove ROFL app from the network {#remove}
+
+Run `rofl remove` to deregister your ROFL app:
+
+![code shell](../examples/rofl/remove.in.static)
+
+![code](../examples/rofl/remove.out.static)
+
+The deposit required to register the ROFL app will be returned to the current
+administrator account.
+
+:::danger Secrets will be permanently lost
+
+All secrets stored on-chain will be permanently lost when the ROFL app will be
+deregistered.
+
+:::
+
 ### Show ROFL identity {#identity}
 
 Run `rofl identity` to compute the **cryptographic identity** of the ROFL app:
diff --git a/examples/rofl/secret-get.in.static b/examples/rofl/secret-get.in.static
@@ -0,0 +1 @@
+oasis rofl secret get MY_SECRET
diff --git a/examples/rofl/secret-get.out.static b/examples/rofl/secret-get.out.static
@@ -0,0 +1,2 @@
+Name:        MY_SECRET
+Size:        156 bytes
diff --git a/examples/rofl/secret-rm.in.static b/examples/rofl/secret-rm.in.static
@@ -0,0 +1 @@
+oasis rofl secret rm MY_SECRET
diff --git a/examples/rofl/secret-set-file.in.static b/examples/rofl/secret-set-file.in.static
@@ -0,0 +1 @@
+oasis rofl secret set MY_SECRET mysecret.txt
diff --git a/examples/rofl/secret-set-stdin.in.static b/examples/rofl/secret-set-stdin.in.static
@@ -0,0 +1 @@
+echo -n "this-is-a-very-secret-value-here" | oasis rofl secret set MY_SECRET -

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+oasis rofl secret set MY_SECRET mysecret.txt`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+echo -n "this-is-a-very-secret-value-here" \| oasis rofl secret set MY_SECRET -`