File-based secret store
Store secrets in encrypted files, which are typically checked into version control.
To encrypt the files, you need an encryption key. That is itself a secret.
To solve this conundrum you can
Link to original
- Use key management service provided by your cloud provider, e.g. AWS KMS
- Use PGP keys: a pair of public and private keys.
Centralized secret store
Link to originalCentralized secret stores are typically web services that you talk to over the network that encrypt your secrets and store them in a data store such as MySQL, PostgreSQL, DynamoDB, etc. To encrypt these secrets, these centralized secret stores need an encryption key. Typically, the encryption key is managed by the service itself, or the service relies on a cloud providerβs KMS.