Incus OS Secrets Management

chuckboecking · August 29, 2025, 9:50pm

I plan to use use Incus OS in the future. I am using a current version of Incus today. I want to be able to reason about container secrets. Here are my thoughts:

Does anyone actively manage secrets related to the following? If so, will you offer a quick/bulleted description of your process? A quick dive into the Incus docs did not uncover anything obvious.

In Incus today:

I can write/execute a host script to temporarily add a secret is a root-only location in a container/guest.
I can then do things in the container that require secrets
Something somewhere will remove the secret (host/guest/etc…)

In Incus OS tomorrow:

I will not have the above ability
I will need an api call to allow me to inject a collection of secrets to a known location.

I ignorantly believe the following:

age would be the preferred encryption tool (either age or ed25519) for simple scenarios
openbao would be the better solution for more advanced scenarios

Note: I use nixos to deploy production resources. This is not really relevant to the topic; however, I wanted to mention just in case.

Thank you for your time and attention!

Chuck

stgraber · August 29, 2025, 10:30pm

Can’t you use incus file push to directly push a file into the container, then read it from there and delete it either from inside the container or through incus file delete?

chuckboecking · August 30, 2025, 2:32pm

Thank you! That makes sense! I may have been over thinking it a bit.

Thinking out loud… I still have to think about the services devops coordination tasks:

What tool to deliver and delete the secrets (github actions for example)
I currently use the incus host to perform management ops.
Is it possible to have a guest container have management capabilities over the host?
- I am asking because I am thinking about incus os
- This scenario creates a self contained system

Chuck