What is a Secrets Manager?

Secrets managers are software solutions for managing, sharing, storing, and automating infrastructure secrets throughout the development lifecycle — playing a crucial role in modern cybersecurity by preventing costly data breaches. Typically used by DevOps, development, or IT professionals, a key functionality of secrets managers is facilitating programmatic machine access to secrets within a developer project or job.

Secrets managers typically store secrets like: 

• Authentication credentials - Usernames, passwords, API tokens, and SSH keys.

• Database credentials - Connection strings, database usernames, and passwords.

• Encryption keys - Keys used for data encryption and decryption.

• Certificates - SSL/TLS certificates and private keys.

• Application configuration secrets - Environment variables, configuration files, and application-specific secrets.

Security

Secrets managers significantly reduce the risk of leaking secrets and potentially exposing business infrastructure by securing secrets in one encrypted location. Additional security features like access controls, audit logs, and secret rotation also reduce the likelihood of human error when working with sensitive secrets. 

Eradicate secrets sprawl

Because development teams utilize many different microservices, applications, and ecosystems for their job, critical secrets can easily become distributed across the organization with no central management. A secrets manager helps organizations manage access to these secrets from one source of truth.

Cost savings

Businesses see cost savings when using secrets management solutions to proactively address developer security, as opposed to reactive actions post-data breach. According to Forbes, “Global cybercrime damage costs are expected to grow by 15%” in 2024, “reaching $10.5 trillion USD annually by 2025.” With a secrets manager, businesses can prevent these damage costs associated with credential-related breaches. 

Compliance

Help your business comply with data protection regulations like ISO/IEC 27001 via detailed auditing and reporting capabilities, provided by your secrets manager. 

Developer productivity

With a secrets manager, development teams no longer need to manage and secure secrets manually, but instead can retrieve secrets programmatically. This frees up more time to improve code quality and focus on what matters most.

Before learning how a secrets manager works, it is important to understand how development teams operate and what ecosystems, environments, and tools they use. 

A typical development ecosystem is comprised of the following: 

Environments

Environments are workspaces for engineers to build software systems and applications. Common environments in a software development lifecycle include but are not limited to, development, staging, and production. Each environment requires a different set of secrets to function. Cloud providers like Azure, AWS, and Google may also interact with these environments to store and share data.

CI/CD tool(s)

A CI/CD (continuous iteration/continuous delivery) pipeline is used to automate a software delivery process and standardize feedback loops. There are many CI/CD tools to choose from that facilitate this automation, including GitHub Actions, GitLab Runners, Jenkins, Circle CI, Bamboo, and more. 

GIT

GIT (global information tracker) is a version control system that is often used in software development and allows engineers to work simultaneously on a source code package or project. Popular GIT tools include GitHub, GitLab, and Bitbucket. 

Local development

Local development is software development work done on a local machine (like a computer or other device) before being pushed to an environment codebase.

Engineering team

A standard engineering structure consists of Developers, DevOps, Quality Assurance (QA), and IT administrators. 

A secrets manager

A secrets manager will store the secrets required for these various tools, machines, and cloud providers to interact and authenticate with each other.

The whole ecosystem

Take a look at the diagram below to see the full development ecosystem.

Secretly store your secrets

First, secrets are imported or manually added to a secret manager where they are protected from unauthorized access with encryption. Tip: select a solution that uses end-to-end encryption for the strongest security. Once secrets are added, the secrets manager will serve as your organization’s source of truth for development and infrastructure credentials.

Restrict access to privileged employees and machines

Next, assign secret access and edit permissions to the right employees, like developers, DevOps engineers, and IT managers, following the principle of least privilege. For many secrets managers, permissions can be assigned to employee groups or individual employees to access or edit groups of secrets or individual secrets. Select the permission structure that makes sense for your business and use case. 

Assign access and edit permissions to relevant machines including databases, applications, websites, and infrastructures that are interacting with the secret(s). 

Inject secrets into development workflows

Lastly, a secure secret ID, generated from the secrets manager, is used in place of a plaintext secret in an env. file or script. If the user and machine have access to the secret in question, the secret value will be securely pulled from the secrets manager, ready for use.

Additional functionality included in secrets managers

Secrets managers sometimes include features and functionalities for added security and deployment flexibility. 

• Audit trails - Capture timestamped records of all secret management actions to investigate potentially suspicious activity.

• Additional authentication options - Outside of a standard username and password, authentication options may include single sign-on, 2-factor authentication, passkeys, biometrics, or directory integrations.

• Multiple hosting options - Host your secrets management solution in the cloud or self-host on your own infrastructure for additional control. 

• Integrations - Easily build relationships between your various machines, CI/CD pipelines, automation tools, and cloud providers with out-of-the-box integrations.

• SDKs - Create custom operations with language-specific development tools in an installable package.

Ready to get started on your secrets management journey? Choose the end-to-end encrypted and open source secrets manager trusted by teams and businesses of all sizes to secure their critical secrets, Bitwarden Secrets Manager.

Bitwarden Secrets Manager offers predictable pricing and unlimited secret storage on any plan. To test out all the business functionality that Bitwarden Secrets Manager has to offer, contact sales for a free 7-day trial. To get started right away, create a free account.