Lightning-AI · Felonious-Spellfire · Sep 12, 2022 · Sep 12, 2022 · Sep 12, 2022
@@ -0,0 +1,48 @@
+.. _encrypted_secrets:
+
+#################
+Encrypted Secrets
+#################
+
+Private data (API keys, database passwords, or other credentials), required by Lightning Apps, can now be encrypted using the ``--secret`` flag.
+
+----
+
+***************
+What did we do?
+***************
+
+The ``MY_SECRET`` environment variable has been added and the flag ``--secret`` has been added to the ``lightning run app`` command.
+
+When a Lightning App (App) **runs in the cloud**, the ``MY_SECRET`` environment variable is populated with the value of the
+referenced secret. The value of the secret is encrypted in the database, and is only decrypted and accessible to
+LightningFlow or LightningWork processes in the cloud.
+
+----
+
+**********************
+What were we thinking?
+**********************
+
+We understand that many Lightning Apps require access to private data like API keys, database passwords, or other credentials.
+We developed this feature because we know that you need a secure way to store this data in a way that is accessible to Apps so that they can authenticate third party services/solutions.
+
+----
+
+****************
+Encrypt a secret
+****************
+
+.. note:: Secrets can only be used for Apps running in cloud.
+
+To encrypt your secret:
+
+.. code:: bash
+
+    lightning run app --cloud --secret MY_SECRET=<secret-name> <file with the secret>
+
+Here's an example:
+
+.. code:: bash
+
+    lightning run app --cloud --secret MY_SECRET=my-super-secret-name app.py
@@ -4,9 +4,9 @@
 Environment Variables
 *********************
 
-If your app is using secrets or values you don't want to expose in your app code such as API keys or access tokens, you can use environment variables.
+If your Lightning App (App) is using secrets or values you don't want to expose in your app code such as API keys or access tokens, you can use environment variables.
 
-Lightning allows you to set environment variables when running the app from the CLI with the `lightning run app` command. You can use environment variables to pass any value such as API keys or other similar configurations to the app, avoiding having to stick them in the source code.
+Lightning allows you to set environment variables when running the app from the CLI with the `lightning run app` command. You can use environment variables to pass any value such as API keys or other similar configurations to the App, avoiding having to stick them in the source code.
 
 Set one or multiple variables using the **--env** option:
 
@@ -24,4 +24,4 @@ The environment variables are available in all flows and works, and can be acces
     print(os.environ["BAZ"])  # FAZ
 
 .. note::
-	Environment variables are currently not encrypted.
+	Only the `MY_SECRET environment variable is encrypted <encrypted_secrets.rst>`_. All other environment variables are not encrypted.
@@ -268,8 +268,9 @@ Keep Learning
    Build Configuration <glossary/build_config/build_config>
    Command Line Interface (CLI) <glossary/command_lines/command_lines>
    DAG <glossary/dag>
-   Event Loop <glossary/event_loop>
+   Encrypted Secrets <glossary/encrypted_secrets>
    Environment Variables <glossary/environment_variables>
+   Event Loop <glossary/event_loop>
    Frontend <workflows/add_web_ui/glossary_front_end.rst>
    REST API <glossary/restful_api/restful_api>
    Sharing Components <glossary/sharing_components>