# Fake.Core.Vault module

API-Reference

## Goals and non-goals

The FAKE-Vault works similar to secret variables in VSTS (in fact they were added to better support VSTS).

Context:

Goals:

• Prevent accidental leakage
• Hide from environment variable listing
• Hide from process snapshots
• Forward secret variables from your build server into FAKE without implicit access for all sub-processes started by FAKE

Non-Goals:

• Complete fool-proof implementation
• Hiding variables from build script writers
• Hiding variables from the build output (see below)

## API Usage

In order to get variables into FAKE you need to encrypt them via AES. When in doubt consult the source code of Vault.encryptVariable or look at the myVault.ts implementation of the vsts fake 5 task.

You need to create a json in the following format:

 1: 2: 3: 4: 5: 6: 7:  { "keyFile": "", "iv": "", "values": [ { "secret": true, "value": "", "name": "" } ] } 

And save it in a environment variable FAKE_VAULT_VARIABLES for example.

 1: 2: 3: 4: 5: 6: 7: 8: 9:  #r "paket: nuget Fake.Core.Vault //" open Fake.Core let vault = Vault.fromFakeEnvironmentVariable() let usage1 = vault |> Vault.get "my variable" let usage2 = vault.Get "my other variable" let tryUsage1 = vault |> Vault.tryGet "my variable" let tryUsage2 = vault.TryGet "my other variable" 

You can reference Fake.Core.Vault in your regular project and use Vault.encryptVariable to simplify the creation of the json.

## Hide from Build output

By default the vault will not keep unencrypted variables in memory in order to 'protect' against memory dumps. Once you retrieve a secret variable we recommend to use build server features (like VSTS secret variables) to remove values from the output. If that is not an option you can use the protect secrets feature of the trace module. Keep in mind that this keeps the variables in memory and is therefore an explicit opt-in for the variables you use.