Clarification: Secrets and layer caching | Dagger | Page 1

pallid moss Jun 4, 2025, 5:45 PM

#

Hi! I just came across https://docs.dagger.io/api/arguments#caching and stumbled upon the very first sentence:

When a Secret is included in other operations, the layer cache entries for those operations will be based on the plaintext value of the secret.
I assume (hope) this doesn't mean the actual secret gets stored in the layer cache but just, e.g., some hash thereof?

signal depot Jun 4, 2025, 6:04 PM

#

just a hash yup! it's an argon2 hash based on the plaintext value and a hidden salt (which is stored on the engine filesystem, and never exported)

pallid moss Jun 4, 2025, 6:11 PM

#

Perfect, thank you! Now I'm relieved 😄

signal depot Jun 4, 2025, 6:24 PM

#

yeah! it's definitely not perfect, but it's really the only way to get value based caching for secrets

hidden cape Jun 4, 2025, 8:27 PM

#

That seems like too much implementation detail in that docs page, which leads to confusion like the one here

signal depot Jun 5, 2025, 10:15 AM

#

hidden cape That seems like too much implementation detail in that docs page, which leads to...

we added docs for this in https://github.com/dagger/dagger/pull/10343
i think we need some docs on how secrets cache 🤔

GitHub

add docs for secret caching behavior by sipsma · Pull Request #103...

Follow-up for #10311 to explain how secrets impact cache (now, as of v0.18.6) and how the cache behavior can be customized.
Let me know if it's comprehensible as is or if it would benefit f...

#Clarification: Secrets and layer caching