← Lessons

quiz vs the machine

Silver1130

Security

The Secrets Manager and KMS

How managed secret stores and key management services keep credentials and encryption keys safe.

5 min read · intro · beat Silver to climb

The Problem With Hardcoded Secrets

Passwords, API keys, and database credentials end up in source code, config files, and environment variables where they leak easily. A secrets manager stores these values centrally and hands them out only to authorized callers at runtime.

What a Secrets Manager Adds

  • Access control so only the right identity can fetch a secret.
  • Audit logging of every read.
  • Rotation that replaces a secret on a schedule without code changes.

Because the secret lives in one place, rotating it once updates everyone who reads it.

What KMS Does

A Key Management Service creates, stores, and controls encryption keys. The raw key material never leaves the service. Applications send data to KMS to encrypt or decrypt, or ask KMS to wrap a smaller data key they use locally.

Envelope Encryption

A common pattern is envelope encryption: KMS protects a master key, that master key encrypts a data key, and the data key encrypts the actual data. This limits how often the master key is exposed.

Key idea

A secrets manager centralizes credentials with access control, auditing, and rotation, while a KMS guards encryption keys and enables envelope encryption so master keys stay protected.

Check yourself

Answer to earn rating on the learn ladder.

1. What problem does a secrets manager solve?

2. In envelope encryption, what does the master key encrypt?

3. What stays inside a KMS and never leaves it?