I am planning on writing code to automatically generate and rotate the value of DRONE_RPC_SECRET. I would like to know what limits there are on the size of the secret, and if the key only supports ASCII or if any binary value is supported. Also any recommendation you have on key length would be appreciated.
I am not aware of any maximum length. The secret is passed through an http header value which could have maximum length depending on your infrastructure, but if such limits were in place, they would be quite large (e.g. 8KB).
As mentioned, since the value is passed in the HTTP header is needs to be ASCII. You can therefore encode the value using hex or base64 encoding.
Are there any performance disadvantages to using a large key such as 8 or 4 KB?
Not sure, I have never tested this. I expect there will be a performance penalty and a networking penalty due to increased payload size.
What attack vectors are you trying to prevent with such a large key? I feel like 256-bit of random data that is base64-encoded (openssl rand -base64 256) would provide sufficient protection against a brute-force attack.