Encryption

Reoclo encrypts all sensitive data at rest. Encryption happens automatically — you don’t need to manage keys or configure anything.

What’s Encrypted

Data	When encrypted	When decrypted
Environment variables	On save	During deployment only
Cloud provider credentials	On save	During cloud operations only
SMTP passwords	On save	During notification delivery only

Environment Variables Are Write-Only

After you save an environment variable, you can’t read it back through the dashboard. You can update it or delete it, but you can’t view the current value.

This is intentional — if someone gains access to your dashboard account, they can’t view your secrets.

Store Secrets in Your Password Manager

Because environment variables are write-only in Reoclo, you can’t retrieve them later. Store them in your own password manager (1Password, Bitwarden, etc.) as well.

If you lose a secret and can’t read it back from Reoclo, you’ll need to regenerate it.

Rotating Secrets

If you need to rotate a secret:

1. Generate a new secret in your application (new API key, new password, etc.)
2. Update the environment variable in Reoclo
3. Deploy the application
4. Revoke the old secret

You can update secrets at any time through:

• Environment variables: Application settings in the dashboard
• Cloud credentials: Settings page when you rotate provider API keys
• SMTP passwords: Notification settings

Next Steps

• Understand access control to see how roles protect your resources
• Configure environment variables to use encrypted secrets in your deployments