# Using secrets

A *secret* is a piece of encrypted named data stored in the Apolo Platform Cluster.

Users can create secrets, list available secret names, and delete unused secrets. However, reading the secret's data back is impossible. Instead of plain reading, secrets can be accessed from a running job as an environment variable or a mounted file.

Secrets are isolated and user-specific - a secret that belongs to user A cannot be accessed by user B.

## Managing secrets

Use the `apolo secret` command group to manage secrets.

`apolo secret ls` prints all available secret names.

`apolo secret add key value` creates a secret named *key* with encrypted data *value*.

To store a file's content as a secret, use the `apolo secret add KEY_NAME @path/to/file.txt` notation.

`apolo secret rm key` removes the secret named *key*.

Internally, the Apolo Platform uses the Kubernetes Cluster secrets subsystem to store secrets.

## Using secrets

As said above, you can't read a secret directly, but instead should pass it to a running job as an environment variable or a mounted file.

To pass a secret named *key* as an environment variable, use `secret:key` as a value for `--env`. For example, `apolo run --env VAR=secret:key ...`.

To mount a secret as a file, use the `secret:` scheme of `--volume`. For example, `apolo run --volume secret:key:/mount/path/file.txt`.