What is secrets management?

Secrets management is the process of securing and controlling credentials for the automated components of an application.

Learning Objectives

After reading this article you will be able to:

  • Define 'secrets' and 'secrets management'
  • Understand some of the challenges of secrets management
  • Explain secrets management solutions

Related Content


Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is secrets management?

Secrets management is the practice of securely storing sensitive information that, if leaked, could give malicious or unauthorized parties access to application infrastructure. A "secret" in this context refers to the encryption keys, API keys, SSH keys, tokens, passwords, or certificates that enable disparate parts of application infrastructure to connect to each other.

While a user may only need to know one password to log into an application, that application is itself composed of various parts that all need credentials — those secrets — to talk to each other.

Almost everyone is familiar with how difficult it can be to remember passwords for multiple applications, especially when those passwords need to be updated regularly. Because of this, many people start using unsafe password practices, such as writing their passwords down or using the same password across all applications.

Developers face similar challenges when making software. The infrastructure that makes applications work, or that a business runs on, can require hundreds or even millions of keys, tokens, and passwords. Because managing all these secrets is so taxing, they often end up hard-coded into application software. They may never get updated and are sometimes coded in plaintext, leaving them vulnerable to attackers.

What is a 'secret'?

In the context of application development, a secret is a piece of data used as a credential. Just as a person needs to authenticate in order to access their email by entering a username and password, the non-human components of that email application (or any application) need to authenticate to each other for the application to work. These components can include API connections, containers, microservices, scripts, functions, and automation tools. To authenticate, they use credentials.

Secrets can include:

  • IPsec keys or certificates
  • TLS certificates
  • Keys
  • API keys
  • Passwords
  • Tokens

Think of how children's building blocks (such as LEGO®) lock together to form a sturdy, if miniature, structure. Secrets are like those locking mechanisms holding an application together. Without them, the application falls apart.

Why is it important to update secrets?

Unlike building blocks, which always have the same ridges for locking into each other, secrets need to be changed regularly. If a secret is used for too long, an attacker may be able to guess it via a brute force attack. Also, the longer a secret is used, the more likely it is to leak.

The need to rotate secrets adds to the complexity of securely managing them. Just as remembering an updated password can be difficult, regularly rotating secrets is a big challenge. A dozen apps might depend on a single API, and all those apps will have to update their secrets if the API requires new credentials. In some cases, an organization may not even know how many apps are dependent on that API, and what will break when a secret is updated.

Sometimes, development teams opt out of updating secrets altogether for the sake of efficiency, just as many people prefer not to update their passwords. They may even hard-code secrets into scripts and functions, assuming the secrets will not need to be changed.

What are the other challenges of secrets management?

Manual sharing: Developers who lack a secrets management solution may be forced to use manual processes to share secrets across development teams, leading to poor documentation and introducing secrets into unsecured environments.

Third party accounts: External users may need access to internal APIs and databases. Because they are outside the organization, enforcing secure secrets management is difficult.

Cloud computing: Cloud environments are sprawling and ephemeral. New virtual machine instances spin up to support services on a regular basis, and all of them require their own secrets. Cloud applications also allow broad access from an almost unlimited range of locations, vastly expanding the number of credentials and privileges that must be managed.

Lack of centralized management: Just as getting a group of people to agree on a time for dinner can be a challenge, managing secrets spread out among multiple teams and functions is hard. Each team may document secrets differently, store them differently, or lack visibility into the secrets other teams are using.

How a secrets management solution works

Secrets management tools can automate all the necessary processes for securely managing secrets. They also store secrets in a secure environment, separate from the application's code. This enables developers to avoid hard-coding secrets or storing them in plaintext, where they could be compromised.

How does Cloudflare assist with secrets management?

Cloudflare offers a highly scalable development platform for running code across its global network. Cloudflare Secrets Store enables developers to securely store and manage the secrets their applications need, from API tokens to request authorization headers. Learn about Secrets Store.