Secret Manager overview

Secret Manager is a secrets and credential management service that lets you store and manage sensitive data such as API keys, usernames, passwords, certificates, and more.

A secret is a global resource that contains a collection of metadata and secret versions. The metadata can include replication locations, labels, annotations, and permissions. Secret versions store the actual secret payload, such as an API key or credential.

Using Secret Manager, you can do the following:

  • Manage rollback, recovery, and auditing using versions: Versions help you manage gradual rollouts and emergency rollback, If a secret is accidentally changed or compromised, you can revert to a previous, known-good version. This minimizes potential downtime and security breaches. Versioning maintains a historical record of changes made to a secret, including who made the changes and when. It helps you audit secret data and track any unauthorized access attempts. You can pin secret versions to specific workloads and add aliases for easier access to secret data. You can also disable or destroy secret versions that you don't require.

  • Encrypt your secret data in transit and at rest: All secrets are encrypted by default, both in transit using TLS and at rest with AES-256-bit encryption keys. For those requiring more granular control, you can encrypt your secret data with Customer-Managed Encryption Keys (CMEK). Using CMEK, you can generate new encryption keys or import existing ones to meet your specific requirements.

  • Manage access to secrets using fine-grained Identity and Access Management (IAM) roles and conditions: With IAM roles and permissions, you can provide granular access to specific Secret Manager resources. You can segregate responsibilities for accessing, managing, auditing, and rotating secrets.

  • Ensure high availability and disaster recovery with secret replication: You can replicate your secrets across multiple regions to ensure high availability and disaster recovery for your applications regardless of their geographic location. You can choose between the following replication policies:

    • Automatic: Google decides the regions considering availability and latency. You are only charged for one location.
    • User Managed: You can select a custom set of regions depending on your requirements. You are charged per location.
  • Rotate secrets automatically to meet your security and compliance requirements: Rotating your secrets protects against unauthorized access and data breaches. Regularly changing your secrets reduces the risk of stale or forgotten secrets and ensures compliance with many regulatory frameworks that require periodic rotation of sensitive credentials.

  • Enforce data residency using regional secrets: Data residency requires that certain types of data, often belonging to specific individuals or organizations, be stored within a defined geographic location. You can create regional secrets and store your sensitive data within a specific location to comply with data sovereignty laws and regulations.

Difference between secrets management and key management

Secrets management and key management are both critical components of data security, but they serve distinct purposes and handle different types of sensitive information. The choice between secrets management and key management depends on your specific needs. If you want to securely store and manage confidential data, a secrets management system is the right tool. If you want to manage encryption keys and perform cryptographic operations, a key management system is the better choice.

You can use the following table to understand the key differences between Secret Manager and a key management system, such as Cloud KMS.

Feature Secret Manager Cloud Key Management Service
Primary function Store, manage, and access secrets as binary blobs or text strings Manage cryptographic keys and use them to encrypt or decrypt data
Data stored Actual secret values. With the appropriate permissions, you can view the contents of the secret. Cryptographic keys. You can't view, extract, or export the actual cryptographic secrets (the bits and bytes) that are used for encryption and decryption operations.
Encryption Encrypts secrets at rest and in transit (using Google-managed or customer-managed keys) Provides encryption and decryption capabilities for other services
Typical use cases Store configuration information such as database passwords, API keys, or TLS certificates needed by an application at runtime Handle large encryption workloads, such as encrypting rows in a database or encrypting binary data such as images and files. You can also use Cloud KMS to perform other cryptographic operations such as signing and verification.

What's next