June 18, 2026

Rotate Your Keys: Why "Encrypted at Rest" Is Only Half the Job

Amber Matz

Illustration by Storyset

If you’re already using Custom Environment Variables in Tugboat, it’s a good idea to rotate and recreate environment variables containing sensitive information like API keys with “Encrypt this value at rest” turned on, a feature available since May 29, 2026.

Encrypting your custom environment variables at rest keeps sensitive values out of dashboards, logs, and exports. The option to encrypt a value at rest is available only when you create a new custom environment variable in the repository settings. It can’t be turned on for existing custom environment variables containing sensitive data. It’s best practice to use fresh rotated values for sensitive data stored in custom environment variables in Tugboat.

Why rotate sensitive data and keys?

Secrets can leak in ordinary ways: a key in a demo screenshot, a value in a build log, an API response with credentials pasted into a ticket, or a former team member with access to Tugboat. You might not ever know if it was exposed.

Rotation addresses that uncertainty. You generate a new credential, switch your systems to it, and revoke the old one. Even if the old value leaked months ago and you never found out, everything from the rotation forward is safe.

We’re strongly encouraging our customers to rotate their keys now and use the “encrypt this value at rest” feature to create new custom environment variables that contain sensitive data in their Tugboat previews.

What does “encrypt this value at rest” do?

When you add a custom environment variable containing sensitive data, check the "Encrypt this value at rest" option before saving. After that:

  • A padlock icon appears next to the variable name, and the Show, Copy, and Edit controls go away.
  • The value is hidden everywhere it used to appear: the dashboard shows nothing, API exports show NAME=[ENCRYPTED], and terminal output, build logs, job logs, and captured mail show [REDACTED].
  • Builds don't change. Tugboat still injects the value as a normal environment variable, so your config.yml, commands, and containers behave exactly as before.

How to rotate sensitive values

Run this on your most sensitive credentials:

  1. Inventory the sensitive variables in your Tugboat repo settings — API keys, tokens, passwords, webhook secrets.
  2. Generate a new value at the source (cloud provider, payment processor, GitHub). Don't reuse the old one.
  3. Create a new custom environment variable in Repository Settings. Add the variable, paste the new value, check Encrypt this value at rest, and set the scope.
  4. Run a Preview build to confirm it works.
  5. Revoke the old credential at the source. This is the step that actually closes your exposure.
  6. Schedule it. Quarterly is a sensible default; rotate immediately if you suspect a leak.

Two setup details to note:

Scope: Each variable is scoped to Build-time, Run-time, or both. Build-time values are available during Preview builds, when dependencies are installed and build commands run. Run-time values are available to the running site and its services. Match the scope to when your code actually needs the value, and set both if it's used in both phases or you aren't sure. Pick the wrong one, and the value simply won't be there when your code tries to access it.

Editing: Encrypted variables are immutable by design. Sealing the stored value is the whole point, so there's no Edit control on them. You don't edit an encrypted variable; you replace it. Delete the old one and add it again with the new value, name, or scope.

Encryption at rest protects the stored value, not the running one. Anyone with Terminal access to a Preview container can still read it, because your app needs it in plaintext to work. So, it’s also a good idea to review who has access to your Tugboat project.

Rotate and recreate sensitive data today

Pick your highest-risk credential — a production database password, a payment API key, or a token with admin scope — and rotate it now. New value, saved encrypted, old one revoked. Then put a recurring reminder on the calendar for the rest.

Resources

On-premise Hosting

Tugboat offers on-premise options. We can tailor the hardware to your needs, and set things up on your infrastructure.

Learn about on-premise

Have questions about Tugboat?

Want to learn more about Tugboat and whether it’s the right fit for your team’s needs? Drop us a line. We’d love to chat!

Contact Us

Need More Info on Tugboat?

Tell us about your project, schedule a demo, or consult with a Tugboat Technical Account Executive.

Your request has been sent.
Oops! Something went wrong while submitting the form.
Support
Check out our documentation
Join us on Slack
File a support ticket
Browse our repositories
Tugboat status
Legal
PrivacyTermsCode of ConductAccessibility Statement
Newsletter

Get monthly updates with articles, new features, and case studies.

Subscribe to the Tugboat Newsletter
"Tugboat" is a registered trademark of Tugboat QA, LLC.
Follow us: