Skip to content

Secrets Management

Estimated time to read: 3 minutes

Overview

Robotair’s secrets management system provides a centralized and secure mechanism to store, govern, and utilize sensitive credentials throughout the robotics software lifecycle. These secrets include SSH keys, access tokens, container registry credentials, and environment variables critical components in enabling secure, automated CI/CD and deployment workflows.

All secrets are encrypted at rest using platform-managed encryption keys. Robotair ensures that secrets are never stored on robot devices, and their usage is strictly scoped to authenticated, time-bound deployment contexts. This aligns with best practices for secrets governance, mitigates credential leakage, and supports policy-driven security enforcement.

Scope and Application

Robotair enables secure management of secrets across various automation and delivery use cases, including:

  • Authentication against private container registries
  • Accessing private Git repositories for source-based builds
  • Facilitating secure SSH-based integrations with external tooling

Secrets are defined once and can be referenced across builds, deployments, and fleet-wide updates, ensuring reusability, minimizing human error, and reducing manual credential handling.

Lifecycle and Policy Controls

  • Encryption at Rest: All secrets are encrypted using strong ciphers with platform-managed keys
  • Ephemeral Exposure: Secrets are not persisted on devices and are available only for the duration of authorized operations
  • Scoped Access Controls: Secrets are tied to organizational boundaries and (coming soon) governed by role-based permissions
  • Audit Trail and Usage History: (Coming soon) All access and usage events will be logged for compliance and traceability

Operational Model

The following diagram illustrates how secrets are securely provisioned and used during the deployment lifecycle:

flowchart TD
    subgraph Robotair[Robotair Platform]
        Secrets["Secrets Store"]
        Builds["Builds"]
        Deployments["Deployments"]
        Fleets["Fleets"]
        Robots["Robots"]
        Auth["Temporary Credentials"]
    end

    subgraph Robot[Robot with Agent]
        Agent["Robotair Agent"]
        Runtime["Runtime"]
    end

    Builds --> Secrets
    Deployments --> Secrets
    Fleets --> Secrets
    Robots --> Secrets
    Secrets --> Auth --> Agent
    Agent --> Runtime
    Runtime -->|"Secure Pull"| Registry["Private Container Registry"]

Compliance and Security Benefits

  • Secrets are never written to disk or transmitted in plaintext
  • Time-scoped tokens reduce risk exposure to a narrow operational window
  • Centralization simplifies credential lifecycle management and revocation workflows
  • Clear separation of duties ensures production credentials are never exposed to development contexts

Summary

Robotair’s approach to secrets management is designed with compliance, confidentiality, and operational integrity in mind. By enforcing centralized control and scoped use of credentials, Robotair supports a secure CI/CD model while reducing operational burden on development and security teams alike.