Skip to main content

Secret Repositories

Secrets repositories are secure long term storage locations for sensitive data. They parallel the centralized storage, versioning and meta-data capabilities offered by configuration repositories, but usually with stricter access controls and auditing. The storage of secrets should be encrypted. They may be encrypted with Hardware Security Modules or HSMs. They may be used in conjunction with other encryption and cryptographic solutions like Public Key Infrastructure or PKI. Secrets repositories may also offer the ability to generate, lease, rotate and revoke certain types of secrets like certificates.

  • Secure and durable
  • Usually key value pairs or similar structured data
  • Values must be encrypted
  • Keys and meta-data may not be encrypted
  • Must have canonical source of truth for a fully qualified key
  • May offer ability to generate/lease/rotate/revoke secret values such as certificates
  • Common tooling includes:
    • Hashicorp Vault
    • Cyberark Conjur
    • AWS Secrets Manager
    • Azure Key Vault
    • Google Secret Manager