Storing secrets in Forge

Could someone explain the technical difference between saving data using store.set and storage.setSecret ? I understand that all tenant data are encrypted with the custom key according this doc :

The Key-Value Store also lets you store key-value pairs in a secure, encrypted manner

Does the method storage.setSecret has some kind of double encryption, or any additional access limitation ? Who has access to secret data ? Atlassian team or Jira/Confluence Cloud admin ?

I couldn’t find this information in the documentation, and my client has concerns about storing sensitive data. It would be helpful if this information were included in the documentation.

Hi @TReb. If data is stored with storage.setSecret, it can only be retrieved with storage.getSecret.

Using the method storage.query will not return values stored with storage.setSecret.

Who has access to secret data ?

Only your app can fetch those values using the getSecret method.

References:

Only your app can fetch those values using the getSecret method.

Nobody from Atlassian is able to retreive the secret?

2 Likes

@danielwester interesting question. I am not aware of any productized way for an Atlassian to fetch data stored as a secret by a Forge app. I believe that these methods, setSecret and getSecret, are provided with the intention of providing a way to store/get sensitive data that live within Forge storage, but not be exposed via query search methods.

It would be awesome if it was documented so we can point to it our security docs. AWS does a really good job versioning and making then link able with this. It makes compliance easy.

1 Like