Secrets

Authelia allows providing configuration via secrets method. This section describes how to implement this.

Configuration of Authelia requires several secrets and passwords. Even if they can be set in the configuration file or standard environment variables, the recommended way to set secrets is to use this configuration method as described below.

See the security section for more information.

Layers

Important Note: While this method is the third layer of the layered configuration model as described by the introduction, this layer is special in as much as Authelia will not start if you define a secret as well as any other configuration method.

For example if you define jwt_secret in the files method and/or AUTHELIA_JWT_SECRET in the environment method, as well as the AUTHELIA_JWT_SECRET_FILE, this will cause the aforementioned error.

Security

This method is a slight improvement over the security of the other methods as it allows you to easily separate your configuration in a logically secure way.

Environment variables

A secret value can be loaded by Authelia when the configuration key ends with one of the following words: key, secret, password, or token.

If you take the expected environment variable for the configuration option with the _FILE suffix at the end. The value of these environment variables must be the path of a file that is readable by the Authelia process, if they are not, Authelia will fail to load. Authelia will automatically remove the newlines from the end of the files contents.

For instance the LDAP password can be defined in the configuration at the path authentication_backend.ldap.password, so this password could alternatively be set using the environment variable called AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE.

Here is the list of the environment variables which are considered secrets and can be defined. Please note that only secrets can be loaded into the configuration if they end with one of the suffixes above, you can set the value of any other configuration using the environment but instead of loading a file the value of the environment variable is used.

Configuration KeyEnvironment Variable
jwt_secretAUTHELIA_JWT_SECRET_FILE
identity_providers.oidc.hmac_secretAUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
identity_providers.oidc.issuer_certificate_chainAUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE
identity_providers.oidc.issuer_private_keyAUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
authentication_backend.ldap.tls.private_keyAUTHELIA_AUTHENTICATION_BACKEND_LDAP_TLS_PRIVATE_KEY_FILE
authentication_backend.ldap.tls.certificate_chainAUTHELIA_AUTHENTICATION_BACKEND_LDAP_TLS_CERTIFICATE_CHAIN_FILE
authentication_backend.ldap.passwordAUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
session.secretAUTHELIA_SESSION_SECRET_FILE
session.redis.passwordAUTHELIA_SESSION_REDIS_PASSWORD_FILE
session.redis.tls.private_keyAUTHELIA_SESSION_REDIS_TLS_PRIVATE_KEY_FILE
session.redis.tls.certificate_chainAUTHELIA_SESSION_REDIS_TLS_CERTIFICATE_CHAIN_FILE
session.redis.high_availability.sentinel_passwordAUTHELIA_SESSION_REDIS_HIGH_AVAILABILITY_SENTINEL_PASSWORD_FILE
duo_api.integration_keyAUTHELIA_DUO_API_INTEGRATION_KEY_FILE
duo_api.secret_keyAUTHELIA_DUO_API_SECRET_KEY_FILE
storage.mysql.passwordAUTHELIA_STORAGE_MYSQL_PASSWORD_FILE
storage.mysql.tls.private_keyAUTHELIA_STORAGE_MYSQL_TLS_PRIVATE_KEY_FILE
storage.mysql.tls.certificate_chainAUTHELIA_STORAGE_MYSQL_TLS_CERTIFICATE_CHAIN_FILE
storage.postgres.passwordAUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE
storage.postgres.tls.private_keyAUTHELIA_STORAGE_POSTGRES_TLS_PRIVATE_KEY_FILE
storage.postgres.tls.certificate_chainAUTHELIA_STORAGE_POSTGRES_TLS_CERTIFICATE_CHAIN_FILE
storage.postgres.ssl.keyAUTHELIA_STORAGE_POSTGRES_SSL_KEY_FILE
storage.encryption_keyAUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
notifier.smtp.passwordAUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
notifier.smtp.tls.private_keyAUTHELIA_NOTIFIER_SMTP_TLS_PRIVATE_KEY_FILE
notifier.smtp.tls.certificate_chainAUTHELIA_NOTIFIER_SMTP_TLS_CERTIFICATE_CHAIN_FILE
server.tls.keyAUTHELIA_SERVER_TLS_KEY_FILE

Secrets in configuration file

If for some reason you decide on keeping the secrets in the configuration file, it is strongly recommended that you ensure the permissions of the configuration file are appropriately set so that other users or processes cannot access this file. Generally the UNIX permissions that are appropriate are 0600.

Secrets exposed in an environment variable

In all versions 4.30.0+ you can technically set secrets using the environment variables without the _FILE suffix by setting the value to the value you wish to set in configuration, however we strongly urge people not to use this option and instead use the file-based secrets above.

Prior to implementing file secrets the only way you were able to define secret values was either via configuration or via environment variables in plain text.

See this article for reasons why setting them via the file counterparts is highly encouraged.

Examples

See the Docker Integration and Kubernetes Integration guides for examples of secrets.