If you are deploying application, at some point you have to:

  • rebuild infrastructure

  • change password

  • share credentials

  • revoke access

In any of those steps, there is a need to expose sensitive information to your deployment, so it can authenticate and access resources properly. We usually call those sensitive pieces of data a secret.
The secret is any non-public information you want to control and limit access to.

Most common used secrets when managing infrastructure are:

  • passwords / PIN

  • API keys / tokens

  • SSH credentials

  • certificates

How can we protect those secret information, but at the same time make them available to a service or person with proper authorization?

Security control proposal

In complex environment, solution is to use secret management software accessible via network. Those solutions usually has multiple advantages:

  • one place for secrets, hence projects are scalable

  • ability to revoke access

  • auditable activities

  • security - data are usually encrypted at rest

Most common on-premise secret management solutions are:

Of course, for simple projects and small deployments, it's possible to encrypt secret information in a git repository, however, this solution does not scale and is not future-proof, so we consider it out-of-scope.