Deploy Encryption Keys with Reis (YAML Mode)

Encryption keys can be declared in your bahriya.yml file under the vaults section and applied with reis apply.

YAML structure

vaults:
  encryption_keys:
    data-enc-key:
      name: Data Encryption Key
      key: "{{ file:./keys/data.key.b64 }}"
      algorithm: AES-256
      format: base64

The {{ file:./path }} helper reads the file content at apply time, so you can keep your key files separate from the YAML declaration.

Attaching to a project

projects:
  production:
    attachments:
      vaults:
        encryption_keys: [data-enc-key]

Wiring to a container

Once attached to a project, reference the encryption key in a container definition:

containers:
  api:
    project: production
    image: ghcr.io/myorg/api:latest
    vaults:
      encryption_keys:
        - handle: data-enc-key
          mountpath: /etc/secrets/enc

The key file is mounted as key under the specified mount path.

Rotation

To rotate, update the key file on disk and run reis apply again. A new version is created and marked current. Previous versions are retained for rollback. Algorithm and format remain unchanged.

See also

• Encryption Keys with Terraform
• Encryption Keys with Reis (Flag Mode)