Secrets

3 minutes to read

Print
Share
Dark
Light
PDF

Article Summary

Share feedback

Thanks for sharing your feedback!

A secret is a set of sensitive information, such as credentials, cloud access keys or key/value pairs used in DevOps environment, which grants access to systems like databases, API servers, cloud services, and others. Developers and Security Teams often have difficulties managing those sensitive data on environments like CI/CD pipelines, Infrastructure-as-a-Code (IaaC), automation tools such as Ansible, or even hard-coded inside application dependencies. DevOps Secret Management module offers an easy-to-use way of managing secrets on those environments through a user-friendly interface, centralizing sensitive data in a secure and encrypted vault.

The DSM module current supports Credentials with username and password, as well as SSH Keys (through integration with PAM Core module), Cloud Credentials (through integration with Cloud IAM module), Ephemeral Credentials (through Dynamic Provision) and Key/Value pairs as secret data.

The secrets can be queried by applications or scripts through API calls using authorizations as access policies and can be injected on systems and environments through automations created directly in senhasegura, where the secrets will be created, updated and deleted without the need to change the application code.

Register a Secret

To register a secret, follow the menu DevOps Secret Manager ➔ Secret Management ➔ Secrets.

In the report's action button, click on New secret;
In the Settings tab, fill in the following fields:
- Name: Name of the secret for management within senhasegura DSM;
- Identity: Unique secret identifier used to query its data;
- Enabled: Whether this secret is available to be used by applications;
- Engine: Engine to be used. This information is used only for audit purposes;
- Expiration date:Date/time on which the secret will be automatically inactivated;
  Important
  When the information expires, it is deleted. Some information such as access keys cannot be recovered.
- Tags: User-defined tags for data segregation and internal filters for secrets in senhasegura;
- Description: Secret usage description. Will not be used by applications.
In the Cloud Credentials tab, select the cloud credentials that will be part of the secret;

Info

Only users who are part of the PAM Core or CLOUD IAM access group can add cloud credentials and credentials to register a secret.

In the Credentials tab, select the credentials that will be part of the secret;
In the Ephemeral Credentials tab, select the dynamic credentials that will be part of the secret;
In the Key/Value tab, provide a key name and sensitive value pair.
In the Auto-renewal tab, select whether to:
- Enable/disable secret data renewal for Cloud Credentials, Credentials and Ephemeral Credentials;
- Determine an interval in minutes to renew data for Cloud Credentials, Credentials and Ephemeral Credentials;
To finish, click on Save;

Info

Cloud Credentials are managed by senhasegura Cloud IAM module. For more information on how to import Cloud Access Keys, please check the Cloud IAM guide.

Info

Credentials are managed by senhasegura PAM module. For more information on how to create and manage credentials, please check the PAM guide.

Info

Ephemeral Credentials are provisioned by senhasegura directly on the target through Dynamic Provisioning. For more information on how to configure it, please check the Dynamic Provisioning guide. Once the credential is rotated, senhasegura DSM will not delete the old information for Cloud Credentials and Ephemeral Credentials.