1.4 KiB
| layout | title | parent | nav_order |
|---|---|---|---|
| default | Secrets | Configuration | 8 |
Secrets
Configuration of Authelia requires some secrets and passwords. Even if they can be set in the configuration file, the recommended way to set secrets is to use environment variables as described below.
Environment variables
A secret can be configured using an environment variable with the prefix AUTHELIA_ followed by the path of the option capitalized and with dots replaced by underscores.
For instance the LDAP password is identified by the path authentication_backend.ldap.password, so this password could alternatively be set using the environment variable called AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD.
Here is the list of the environment variables which are considered secrets and can be defined. Any other option defined using an environment variable will not be replaced.
- AUTHELIA_JWT_SECRET
- AUTHELIA_DUO_API_SECRET_KEY
- AUTHELIA_SESSION_SECRET
- AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD
- AUTHELIA_NOTIFIER_SMTP_PASSWORD
- AUTHELIA_SESSION_REDIS_PASSWORD
- AUTHELIA_STORAGE_MYSQL_PASSWORD
- AUTHELIA_STORAGE_POSTGRES_PASSWORD
Secrets in configuration file
If for some reason you prefer keeping the secrets in the configuration file, be sure to apply the right permissions to the file in order to prevent secret leaks if an another application gets compromised on your server. The UNIX permissions should probably be something like 600.