This topic explains the main Secret Manager concepts.
Secrets management and key management
Secret Manager allows you to store, manage, and access secrets as binary blobs or text strings. With the appropriate permissions, you can view the contents of the secret.
Secret Manager works well for storing configuration information such as database passwords, API keys, or TLS certificates needed by an application at runtime.
A key management system, such as Cloud KMS, allows you to manage cryptographic keys and to use them to encrypt or decrypt data. However, you cannot view, extract, or export the key material itself.
Similarly, you can use a key management system to encrypt sensitive data before transmitting it or storing it. You can then decrypt the sensitive data before using it. Using a key management system to protect a secret in this way is more complex and less efficient than using Secret Manager.
Cloud KMS is designed to handle large encryption workloads, such as encrypting rows in a database or encrypting binary data such as images and files. You can also use Cloud KMS to perform other cryptographic operations such as signing and verification.
To learn about limitations on payload sizes, resource quantities, and rate limiting, see Secret Manager quotas.
A secret is a project-global object that contains a collection of metadata and secret versions. The metadata can include replication locations, labels, and permissions. The secret versions store the actual secret data, such as an API key or credential.
A secret version stores the actual secret data, such as API keys, passwords, or certificates.
You can address individual versions of a secret. You cannot modify a version, but you can delete it.
You rotate a secret by adding a new secret version to the secret. Any version of a given secret can be accessed, as long as that version is enabled. To prevent a secret version from being used, you can disable that version.
It is not possible to schedule a secret for automatic rotation.