Secrets Management

The practice and tooling for securely storing, accessing, rotating, and auditing sensitive credentials such as API keys, database passwords, certificates, and encryption keys used by applications and infrastructure.

What Is Secrets Management?

Secrets management addresses a fundamental security challenge: applications and infrastructure need credentials (database passwords, API keys, TLS certificates, encryption keys) to function, but hardcoding these secrets in source code, config files, or environment variables creates serious risk.

A secrets management solution provides a centralized, encrypted vault for storing secrets, with fine-grained access control and automatic rotation.

Why Secrets Management Matters

Common secrets management failures include:

  • Hardcoded credentials in source code pushed to Git repositories
  • Shared service accounts with passwords that never rotate
  • Secrets sprawl across config files, CI/CD pipelines, and environment variables
  • No audit trail of which applications or users accessed which secrets

Any of these can lead to a breach. Leaked cloud credentials, in particular, are one of the most common causes of cloud security incidents.

Key Capabilities

| Capability | Description | |---|---| | Centralized vault | Encrypted storage for all secret types | | Dynamic secrets | Generate short-lived, on-demand credentials | | Automatic rotation | Rotate passwords and keys on a schedule or trigger | | Access policies | Fine-grained control over which identities can read which secrets | | Audit logging | Complete record of secret access and changes | | PKI / certificates | Issue and manage TLS/SSL certificates | | CI/CD integration | Inject secrets into build and deployment pipelines |

Secrets Management Approaches

| Approach | Pros | Cons | |---|---|---| | Dedicated vault (HashiCorp Vault) | Feature-rich, multi-cloud | Operational complexity | | Cloud-native (AWS SM, Azure KV, GCP SM) | Low ops, tight cloud integration | Single-cloud lock-in | | Developer-focused (Doppler, Infisical) | Great DX, easy onboarding | May lack enterprise features | | Open-source (CyberArk Conjur) | No license cost, customizable | Self-managed infrastructure |

Leading Secrets Management Vendors

Major providers include HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, CyberArk Conjur, Doppler, Infisical, Akeyless, and Delinea Secret Server.

Related on CyberSecTool

Buying guides

Related tools