Learning Library

← Back to Library

Secrets Management: Protecting Credentials and Keys

9mUnknown ChannelsecuritytutorialbeginnerWatch on YouTube ↗

Key Points

  • Secrets management is the practice of securely storing and sharing credentials (passwords, API keys, cryptographic keys, certificates, tokens) so they can be used by users or applications without being exposed.
  • Organizations typically have tens to thousands of such secrets, making manual tracking impossible and necessitating a systematic approach.
  • A major problem is secret sprawl: credentials end up hard‑coded in source code, placed in configuration files, or checked into version‑control systems, often in plaintext.
  • This uncontrolled distribution increases the risk of accidental leakage, credential compromise, and makes it difficult to rotate or revoke secrets.
  • Centralized secret‑management solutions address these issues by providing encrypted storage, access control, auditing, and automated rotation to keep secrets truly secret.

Sections

Full Transcript

# Secrets Management: Protecting Credentials and Keys **Source:** [https://www.youtube.com/watch?v=BqekRTA6VCs](https://www.youtube.com/watch?v=BqekRTA6VCs) **Duration:** 00:09:27 ## Summary - Secrets management is the practice of securely storing and sharing credentials (passwords, API keys, cryptographic keys, certificates, tokens) so they can be used by users or applications without being exposed. - Organizations typically have tens to thousands of such secrets, making manual tracking impossible and necessitating a systematic approach. - A major problem is secret sprawl: credentials end up hard‑coded in source code, placed in configuration files, or checked into version‑control systems, often in plaintext. - This uncontrolled distribution increases the risk of accidental leakage, credential compromise, and makes it difficult to rotate or revoke secrets. - Centralized secret‑management solutions address these issues by providing encrypted storage, access control, auditing, and automated rotation to keep secrets truly secret. ## Sections - [00:00:00](https://www.youtube.com/watch?v=BqekRTA6VCs&t=0s) **Untitled Section** - - [00:03:19](https://www.youtube.com/watch?v=BqekRTA6VCs&t=199s) **Risks and Management of Secrets** - The speaker highlights the danger of API keys appearing in large language model training data and stresses the need for strict access controls, monitoring, and regular secret rotation to keep sensitive credentials secure. - [00:06:24](https://www.youtube.com/watch?v=BqekRTA6VCs&t=384s) **Time‑Based Unique Secret Management** - The speaker outlines a secret‑management architecture that uses per‑system, short‑lived secrets stored encrypted, and emphasizes handling requests through authentication, authorization, administration, and auditing (the four A’s). ## Full Transcript
0:00I've got a secret. 0:01In fact, I've gotten hundreds of them, and I'll bet you do too. 0:04Don't worry, I won't ask you to tell me any of them, 0:07but let me ask you this, what's the best way to keep a secret? 0:11The simple answer is don't tell anyone, 0:13but if that secret is a credential that needs to be shared so that other users or applications can function, 0:19then how do you give them access without leaking it to the whole world? 0:23That's what secrets management is all about, and it's what we're gonna unpack in this video. 0:28We'll take a look at... 0:29What are secrets from an IT perspective? 0:32What are the issues involved? 0:33And how can you keep secrets secret? 0:36Okay, let's start with what are IT secrets? 0:40Everybody's got tons of these, as I said. 0:42For instance, you've got passwords. 0:44Those are things that let you get into a system, and hopefully you're the only one that knows what those passwords are. 0:50If you've programs, applications, 0:52then they're probably using a different form of authentication, maybe using something like an API key. 0:59So these things will be sitting out there and you may have tons of these things. 1:04Cryptography, if you're gonna keep your information secret, then you need to be able to encrypt it, 1:10and that means you've got keys, sometimes private keys, public keys, symmetric keys, all kinds of keys, 1:17but you've get keys and those need to be also kept secret. 1:21Related to that, if your doing anything with PKI, public key infrastructure, 1:25Then you will probably need to know about certificates, digital certificates. 1:31And these things, while technically not secret, they do need to be stored in one place. 1:36The certificate generally just has public information in it, 1:40but you still need to have one trusted source where you have those things so that you can go look them up, 1:45and therefore it would be a good thing to manage all these together. 1:48And finally, we could have all sorts of other, I'll just call them tokens, as a general catch-all term. 1:55That would be for other things. 1:56You may have dynamic tokens and other things of that sort. 1:59So look at all of these things and I'm going to suggest that you've got tens of these. 2:06If you're an organization of any size you probably got hundreds. 2:10You might even have thousands of these thing. 2:13So that's what it is. 2:15A lot of secrets and you've gotta manage them all. 2:18You can't remember them all so how are you going to manage them? 2:22Now let's take a look at what some of the issues are 2:25with storing those secrets. 2:27Well, one of the first ones is this issue of sprawl. 2:31That is, you're gonna end up with these secrets spread hither and yon all over the place. 2:37You might see them in source code. 2:39If somebody were to actually see the source code, they might be hard coded in there. 2:43It could be in config files, which are generally visible to people that might have access to them. 2:50It could in a version control system of some sort, where, again... 2:54this information might be stored in the clear, which leads me to my next point, that this stuff is stored in clear is an issue. 3:03Another example of places where these secrets might be kept 3:07might result in them being logged, written out to a log of some sort, 3:13and then if anyone has access to the log, they're gonna see the secrets, and that's not a good thing to do. 3:19Another thing, in fact, that's a theoretical risk that I'm referring to. 3:24There was one recent report that came out where there were 12,000 live API keys and secrets of that sort 3:31that were found in a training data set that's used to train 3:35large language models, some of the really popular ones that you know of. 3:38So that means if that's going into the training of those systems, 3:41those systems might spit those things out at some point in the future. 3:45Again, a big problem. 3:47This stuff needs to remain private. 3:48That's why we call it a secret in the first place. 3:51I also need to manage access. 3:53So I need some sort of access control capability so that we can keep it secret, 3:58but it needs to be revealed to the right person, the person who is authorized to see this stuff. 4:03I need to be able to monitor how all of this stuff works, who is accessing it and when and why, 4:10and then ultimately, secrets can't stay that way forever. 4:14We need to able to rotate secrets. 4:17That is, if it was a secret now, if someone has enough time, they might be able brute force, guess what that secret is 4:23or discover it through some other means over time. 4:26So we change them over time and that way this rotation of secrets 4:30becomes a way that we add additional security into the system. 4:34If I'm not rotating, then I'm basically a sitting duck and we wanna be a moving target. 4:40So those are the issues. 4:41Now, how are we going to address those? 4:44Well, the first one I talked about was sprawl, 4:46and in that case, you can see if I've got multiple sections of source code 4:50or multiple systems, they've got secrets embedded in them. 4:54That's a problem because the more different places they are, 4:57the larger the attack surface is, and the harder it is to secure all of those different things. 5:01So what would I want to do? 5:03Well, ideally, what I want do is centralize. 5:06So I want be able to take all of this stuff and come up with a centralized secrets management system 5:13and have these systems go query it whenever they need the secrets. 5:18Therefore, we keep the secrets here and not there, that addresses the sprawl problem. 5:24The next thing, how about this information in the clear, 5:27the secrets that are in the clearer, obviously are not secrets, those are public secrets. 5:31So the clear simple answer is encrypt those things. 5:35So if I do that, then if someone does happen to look into one of these systems, 5:40then they're only gonna see encrypted information, they're not gonna see the actual thing. 5:44How about access control? 5:46Well, have access control lists. 5:49have an authentication system, then make sure that you are authorized to access this information in the first place 5:55and add that into the secrets management system. 5:58Other things that we might do is monitor, okay, I need to be able to audit this system. 6:04I need see who accessed it and why. 6:07And then ultimately, rotation of secrets so that they change over time. 6:12Well, what I wanna be able to have there is this notion of dynamic secrets. 6:17with dynamic secrets. 6:18Now I have a system that can do ephemeral secrets. 6:22In other words, it's a temporary thing. 6:24It's time-based and unique secrets. 6:27That is, it is unique to every single system. 6:30There's no shared secrets across or duplicated secrets. 6:34Every single one is unique. 6:36Every single has a short lifespan. 6:38So it makes it really hard for a bad guy to discover these things and use them before they've expired. 6:45Okay, what would a system that does these kinds of things actually look like? 6:48Let's take a look at the architecture. 6:50So who do we have trying to access this? 6:53Well, as I said, we've got users that are gonna try to get into the system. 6:57We've got a bunch of different apps that are going to try to getting in. 7:01We may have cloud instances that are trying to get in. 7:05So I've got all of these things trying to access the secrets. 7:09And then somewhere over here, I'm gonna have some data store. 7:13that is gonna have the actual secrets in it, 7:16and this is going to be encrypted for sure, so that if someone gets a hold of that, they still can't see what's in there. 7:25So users trying to access secrets. 7:27Now, how are we gonna handle this? 7:29Well, what I need is a system in the middle that does this secrets management. 7:33And one of the major things that it needs to be able to do are the four A's. 7:38If you've seen any of my videos on identity and access management, I talk about these four A's. 7:42So, what are they? 7:43Well, it's authentication. 7:45That's answering the question, who are you? 7:48There's authorization. 7:50That's entering the question 7:52are you allowed to do this or not? 7:54And then we have administration. 7:57That's how I control these previous two A's. 8:01And then ultimately, I mentioned a monitoring and audit system. 8:05That's the fourth A. 8:06I wanna be able to audit the information and see if I did the previous three A's correctly. 8:11So now I can authenticate that it's the proper user, the proper app, the proper cloud instance 8:18that is accessing these things through these kinds of forays and monitor all of that. 8:23The other things I need to be able to do, I'm gonna call this CRUD. 8:27This is create, read, update, and delete. 8:30So I'm going to create a secret, I need be able read the secret, 8:34I need able to update it at some point, and then ultimately delete it and retire that secret, 8:39and the update part... 8:41I mentioned previously, is this business of rotation. 8:45So I need to be able to change those over time. 8:47So here we have a secrets management system that sits in the middle between the systems 8:54and users that need to access the secrets and the secrets themselves 8:58and manages all of that access and keeps it all very simple. 9:02So these things don't have to know this directly. 9:05They just need to know what they want and how to get to it. 9:09Now that you know what needs to be done, You could build all this from scratch, 9:13although I wouldn't recommend it because this stuff is really complex as you can see. 9:17Better would be to leverage an enterprise class secrets management tool that does all the heavy lifting for you. 9:24That way your secrets will truly be just that, secret.