diff --git a/cmd/build/main.go b/cmd/build/main.go
index 9474676..b3f722a 100644
--- a/cmd/build/main.go
+++ b/cmd/build/main.go
@@ -3,10 +3,8 @@ package main
 import (
 	"bytes"
 	"encoding/json"
-	"io/ioutil"
 	"os"
 	"os/exec"
-	"path/filepath"
 	"strings"
 
 	"github.com/sirupsen/logrus"
@@ -66,14 +64,8 @@ func main() {
 			seg := strings.SplitN(
 				strings.TrimPrefix(env, buildkitSecretTextPrefix), "=", 2)
 
-			// Q: Filter for environment variable names that are also legal shell variable names to disallow ../ etc?
-			secretDir := filepath.Join(os.TempDir(), "buildkit-secrets")
-			secretFile := filepath.Join(secretDir, seg[0])
-			err := os.MkdirAll(secretDir, 0700)
-			failIf("create secret directory", err)
-			err = ioutil.WriteFile(secretFile, []byte(seg[1]), 0600)
-			failIf("write to secret directory", err)
-			req.Config.BuildkitSecrets[seg[0]] = secretFile
+			err := task.StoreSecret(&req.Config.BuildkitSecrets, seg[0], seg[1])
+			failIf("store secret provided as text", err)
 		}
 	}
 
diff --git a/task.go b/task.go
index 1fe3d40..84cebf2 100644
--- a/task.go
+++ b/task.go
@@ -16,6 +16,26 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
+// Q: Audit name to not include "/"?
+func StoreSecret(secrets *map[string]string, name, value string) error {
+	secretDir := filepath.Join(os.TempDir(), "buildkit-secrets")
+	secretFile := filepath.Join(secretDir, name)
+	err := os.MkdirAll(secretDir, 0700)
+	if err != nil {
+		return fmt.Errorf("unable to create secret directory: %w", err)
+	}
+	err = ioutil.WriteFile(secretFile, []byte(value), 0600)
+	if err != nil {
+		return fmt.Errorf("unable to write secret to file: %w", err)
+	}
+	if secrets == nil {
+		secretMap := make(map[string]string, 1)
+		secrets = &secretMap
+	}
+	(*secrets)[name] = secretFile
+	return nil
+}
+
 func Build(buildkitd *Buildkitd, outputsDir string, req Request) (Response, error) {
 	if req.Config.Debug {
 		logrus.SetLevel(logrus.DebugLevel)
diff --git a/task_test.go b/task_test.go
index c0b1a49..3d7ff7e 100644
--- a/task_test.go
+++ b/task_test.go
@@ -250,6 +250,15 @@ func (s *TaskSuite) TestUnpackRootfs() {
 	s.Equal(meta.Env, []string{"PATH=/darkness", "BA=nana"})
 }
 
+func (s *TaskSuite) TestBuildkitTextualSecrets() {
+	s.req.Config.ContextDir = "testdata/buildkit-secret"
+	err := task.StoreSecret(&s.req.Config.BuildkitSecrets, "secret", "hello-world")
+	s.NoError(err)
+
+	_, err = s.build()
+	s.NoError(err)
+}
+
 func (s *TaskSuite) TestBuildkitSecrets() {
 	s.req.Config.ContextDir = "testdata/buildkit-secret"
 	s.req.Config.BuildkitSecrets = map[string]string{"secret": "testdata/buildkit-secret/secret"}