Secrets storage and encryption: everything you need to know

Itzik Alvas. Co-founder & CEO, Entro
May 13, 2024
storage and encryption blg

From a historical standpoint, developers have often resorted to insecure practices like hardcoding secrets directly into application source code or configuration files. However, this approach comes with very serious risks, like if an attacker gains access to your secrets via the codebase, they could easily compromise the entire system. Not to mention, sharing and updating secrets across large development teams can quickly become a logistical nightmare.

As we continue to embrace the cloud, keeping sensitive information under wraps is no walk in the park. You need the right tools for the job. So, to get over these roadblocks, dedicated secrets management solutions have emerged. These tools provide a centralized, secure vault for storing secrets, along with features like access control, auditing, and rotation.

In this article, we’ll explore the different approaches to non-human identity management, including using vaults and vaultless encryption options. We’ll get into the ins and outs of some of the popular non-human identity management solutions so you can decide which one suits you the best. 

Encryption in secrets management

Encryption is a critical piece of the puzzle that every developer and IT pro needs to have a solid handle on. When it comes to secrets management and securing non-human identities (NHIs), we need to take the most secure form of secrets encryption at our disposal and use it both at rest and in transit. Encryption at rest is typically achieved by encrypting secrets before storing them in databases, files, or secrets vaults. Encryption algorithms like AES-256 are pretty standard and we can encrypt whole disks or volumes using them. 

Equally important is in-transit secrets encryption, which secures secrets when they are transmitted over networks. It’s always a good idea to encrypt before sending, use secure protocols like TLS 1.2+, verify the destination’s identity, and keep encryption libraries updated. Also, it’s worth noting that compliance frameworks like GDPR also mandate the use of encryption for securing personal data in transit.

Key Management and Encryption as a Service

Key Management Services (KMS) take the headache out of managing and storing encryption keys used to lock up your secrets. They provide a one-stop shop for all your secret key encryption and decryption needs, making sure your keys are always safe and sound. And get this, envelope encryption takes it up a notch by encrypting your secrets with a unique data key, which is then encrypted by the KMS.

Furthermore, we also have the option of using Encryption as a Service offerings which essentially abstract the complexity of encryption by providing cloud-based encryption services. This allows organizations to adopt secrets security in hybrid clouds and offload the management and maintenance of encryption infrastructure while ensuring compliance with best practices and standards.

Best practices for implementing encryption

When it comes to implementing secrets encryption, you’ve got two options: Bring Your Own Key (BYOK) or let the cloud handle it. BYOK gives you more control and lets you see exactly what’s going on under the hood, while cloud-managed keys make your life easier by taking care of key generation and storage of app secrets for you.

To keep your non-human identities safe and sound, make sure you’re using tough secrets encryption algorithms like AES-256 and big, beefy key sizes that can stand up to even the most determined attackers. And don’t forget about secure storage of app secrets and management — keep those keys separate from your encrypted data, lock down access, and rotate those secrets regularly to stay one step ahead of the bad guys.

Approaches to non-human identity management

When it comes to keeping secrets under wraps, organizations have two main options: vaults and vaultless. Each approach has its own unique set of pros and cons, so let’s dive in and see what they’re all about.

Vaults

Vaults provide a centralized solution for storing and managing secrets for non-human identities. They act as a secure repository where secrets can be stored, accessed, and managed throughout their lifecycle and offer several key features:

  1. Centralized secrets storage: You get to keep all your secrets in one place, making it a breeze to maintain consistency and control across your organization.
  2. Access control and auditing: Vaults come with built-in access control, so you can define who gets to see what. Plus, you can keep tabs on who’s accessing your secrets, which is a must for security and compliance.
  3. Encryption at rest and in transit: Your secrets remain encrypted both when they’re just sitting there and when they’re on the move — using top-notch encryption algorithms.

Pros:

  • Centralized management and control over secrets
  • Robust access control and auditing capabilities
  • Encryption of keys and other secrets at rest and in transit
  • Integration with various authentication and authorization systems

Cons:

  • Requires additional infrastructure and maintenance
  • Potential single point of failure if not properly designed for high availability
  • May introduce latency in accessing secrets

Vaultless solutions

Vaultless, or distributed non-human identity management, takes a different route. Instead of putting all your eggs in one basket (vault, in this case), secrets are stored right alongside the applications that use them. Here’s the lowdown on vaultless:

  1. Distributed secrets storage: In a vaultless approach, secrets are stored directly within the application environment. Each application is responsible for managing its own secrets, typically by storing them in encrypted form.
  2. Application-level encryption: Vaultless relies on the application itself to encrypt and decrypt secrets using encryption libraries or frameworks.
  3. Secrets stored alongside the application: Secrets are stored in close proximity to the application, often in the same repository or deployment package. No need for a separate non-human identity management system.

Pros:

  • Simpler architecture without extra infrastructure
  • Faster access to secrets
  • Secrets are tightly coupled with the application

Cons:

  • Decentralized management of secrets across multiple applications
  • More responsibility on application developers to handle secrets securely
  • Potential for inconsistent secrets encryption practices
  • Limited visibility and control over secrets at an organizational level

A key decision point in the vault vs vaultless debate is to weigh the tradeoffs between agentless vs agent based secrets management models. Agentless solutions scan APIs and logs from a central system, while agent-based models involve deploying lightweight software on each host. 

Benefits of secrets storage

Implementing a dedicated secrets storage solution offers several key benefits for organizations:

One-stop shop for non-human identity management

Centralizing secrets management means you’ve got a single source of truth for all your non-human identity authentication needs. No more scattered, inconsistent practices that can lead to misconfigurations and unauthorized access. With everything in one place, you’ve got better visibility, control, and governance over your secrets across the board. It also facilitates the tracking of various KPIs related to secrets and non-human identity security, such as the number of secrets discovered, rotated, or accessed over time.

Set it and forget it

Secrets storage solutions often come with built-in automation for secrets rotation and lifecycle management. This means your secrets can be automatically rotated or updated on a regular basis or based on predefined policies. Automated rotation helps minimize the impact of compromised secrets and ensures they’re frequently changed to keep things secure. Lifecycle management features let you define expiration dates, revocation policies, and access controls for secrets throughout their entire lifecycle.

Plays nice with others

Secrets storage solutions play well with a wide range of platforms, tools, and services. Integrations with identity and access management (IAM) systems enable centralized authentication and authorization for accessing secrets. And integrations with DevOps tools, like configuration management and CI/CD pipelines, enable secure and automated secrets encryption and management within the development and deployment processes.

The different non-human identity management solutions

When you have to choose a vault, there are a few heavy hitters to pick from. Let’s take a closer look at three of the most popular solutions: Azure Key Vault, HashiCorp Vault, and AWS Secrets Manager.

Azure Key Vault

Azure Key Vault is Microsoft’s fully managed secrets encryption service. One of its key features is the Managed HSM (Hardware Security Module) for secure storage of keys, which provides FIPS 140-2 Level 3 validated protection.

This vault can seamlessly integrate with other Azure services and even support integration with Azure Active Directory (AD) for authentication and access control. Plus, it offers automated secrets rotation capabilities, making it a breeze to maintain security best practices.

Pros:

  • Tight integration with the Azure ecosystem
  • Managed HSM for secure key storage
  • Automated secrets rotation

Cons:

  • Limited support for non-Azure environments
  • Higher cost compared to some alternatives
  • Dependency on Azure-specific features and services

HashiCorp Vault

HashiCorp Vault, an open-source vault(enterprise option also available), is all about flexibility and scalability. It’s designed to store and manage secrets across different platforms and environments, and it offers a wide range of features like dynamic secrets, secrets encryption, leasing, and revocation capabilities.

It supports multiple secrets engines, so you can store and manage all kinds of secrets, like database credentials, API keys, and certificates. You can also expect pluggable authentication methods that will let you integrate it easily with various identity providers and access control systems.

Pros:

  • Open-source and cloud-agnostic
  • Extensive plugin ecosystem for integration
  • Dynamic secrets and granular access control

Cons:

  • Requires additional setup and maintenance
  • Steeper learning curve compared to managed services
  • Limited native integration with cloud-specific features

AWS Secrets Manager

AWS Secrets Manager is a fully managed non-human identity management service provided by AWS. One of its standout features is the automatic rotation of credentials for AWS services like RDS (Relational Database Service) and Redshift. Secrets Manager also supports VPC endpoints for private access within AWS environments and provides cross-region replication for high availability.

Pros:

  • Fully-managed service with automatic rotation for AWS services
  • Integration with AWS security features and services
  • Cross-region replication for high availability

Cons:

  • Limited support for non-AWS environments
  • Higher cost compared to self-hosted solutions
  • Dependency on AWS-specific features and services

Final thoughts

Getting real, choosing the right secrets encryption and storage solution is a pretty big deal. It’s not a decision you can just wing. You’ve got to take a hard look at what your organization needs, and what you’re already working with, and make sure you’re checking all the compliance boxes. At this point, it’s quite possible, and almost probable that these purpose-built solutions won’t address your end-to-end needs.

That’s where Entro swoops in to save the day. It’s not just another run-of-the-mill solution. Entro goes the extra mile by integrating with your existing vaults and secret stores, so you don’t have to start from scratch. But that’s just the beginning.

Entro goes above and beyond by discovering all your secrets across various systems including collaboration tools and CI/CD pipelines, giving you a bird’s-eye view of your secrets landscape. And with secrets enriched with metadata — all powered by Entro, you can rest easy knowing that the highest standards of secrets and non-human identity management are in place. Check it out now!

Reclaim control over your secrets

Get updates

All secret security right in your inbox

Want full security oversight?

See the Entro platform in action