What is secret management?

Secret management is a cybersecurity best practice for managing credentials, certificates, passwords, keys, tokens and other sensitive information in a secure way. It also provides assurance that resources across different stacks, platforms and environments can only be accessed by authenticated and authorized entities.

Important

Do not store or share any sensitive information in plain text or any unprotected ways.

What is a secret?

Secrets refer to a private piece of information that acts as a key to unlock protected resources or sensitive information.

Most common types of secrets include:

• Privileged account credentials
• Passwords
• Access tokens
• Certificates
• SSH keys
• API keys
• Encryption keys

Best practices

One must follow below best practices when implementing secret management:

• Authenticate and authorize all access requests
• Enforce principle of least privilege
• Use role based access control whenever it's possible
• Regularly rotate secrets, keys and credentials
• Apply consistent access policies to secrets
• Automate management of secrets
• Track all access and maintain audit log
• Remove all secrets from code, configuration files and other unprotected places

Secret management tools

• KeePass is a free password manager, which helps you to manage your passwords in a secure way. It's highly recommended to manage your own credentials with it or one of its alternatives.
• Cloud native services, like Key Vault (Azure), Secret Manager (GCP) and AWS Secrets Manager (AWS), are the recommended way to work with secrets in cloud based solutions. Implement role based access control to manage who can access to your secrets.