[doc] where and how are secret variables stored?

[koriit-kontakt]

Hi, when I have a secret variable, I understand it's not written to the environment or collection files, but where is it stored exactly, and how?

---

I think documenting this part will bring additional transparency and aligns nicely with what ppl are looking for when choosing Bruno.

I can prepare a PR, but someone would need to explain it here or point me towards related source files.

[mirkogolze]

On a windows machine the secrets are stored under \Users[xxxx]\AppData\Roaming\bruno\secrets.json It's the location for electron stores.

The code which handles the secrets is: https://github.com/usebruno/bruno/blob/main/packages/bruno-electron/src/store/env-secrets.js

[boskamp]

For the record, I found that in a flatpak-based installation of Bruno on Linux, the secrets.json file will be stored at $HOME/.var/app/com.usebruno.Bruno/config/bruno/secrets.json. Please document this, it's an important security consideration when using Bruno.

I also noticed the blog written by @rreyn-bruno located at https://blog.usebruno.com/managing-secrets. It states "When a variable is marked as secret: ... It’s never written to disk (not even in the environment file)" This statement may require clarification. From what I see in my installation, it is written to disk, just to another location (see above) and not in cleartext.

[anusree-bruno]

@koriit-kontakt Bruno securely stores secrets on your local machine, usually within the app's cache directory. The location may vary depending on your operating system. Secrets are encrypted using OS-level encryption when available, or, as a fallback, they are securely encrypted via AES256, uniquely tied to your device.

@boskamp I've created a PR to add this information to our docs: PR link. I'll follow up with @rreyn-bruno about updating the blog.