What is a secrets manager?

Every application, pipeline, and cloud environment relies on sensitive credentials to function, like API keys, database passwords, and encryption keys. When those credentials are scattered across codebases, cloud ecosystems, and configuration files, the risk of exposure grows. A secrets manager solves this by centralizing the secure storage, access, and automation of infrastructure secrets throughout the development lifecycle.

Typically used by DevOps, development, and IT professionals, these tools facilitate programmatic machine access to secrets within a developer project or job. They also help prevent sensitive information from being accidentally committed to version control systems, reducing the risk of exposure.

Common types of secrets include:

• Authentication credentials - Usernames, passwords, API tokens, and SSH keys

• Database credentials - Connection strings, database usernames, and passwords

• Encryption keys - Keys used for data encryption and decryption

• Certificates - SSL/TLS certificates and private keys

• Application configuration secrets - Environment variables, configuration files, and application-specific secrets

Bitwarden Secrets Manager provides a secure, open source approach to secrets management for teams of all sizes.

Instead of credentials living in plaintext across env. files or hardcoded into code commits, a secrets manager locks them in one encrypted location. Access controls, audit logs, and secret access rotation add additional layers of protection and reduce the likelihood of human error.

Development teams use many different microservices, applications, and ecosystems throughout their workflow, and critical secrets can easily become distributed across the organization without central management. This is often referred to as “secrets sprawl”. A secrets manager consolidates these scattered credentials into a single, governed location and source of truth.

A secrets manager helps organizations manage access to secrets from one source of truth.

Addressing credential security before a breach is significantly cheaper than responding to one after the fact. A secrets manager shifts that balance toward prevention, reducing the damage costs associated with credential-related incidents.

Data protection regulations like ISO/IEC 27001 require organizations to demonstrate control over sensitive credentials. A secrets manager supports compliance through detailed auditing and reporting capabilities, providing a clear record of who accessed what and when.

Manual secrets management that involves tracking down local env. files or or hardcoding secrets slows teams down. A secrets manager CLI or SDK lets development teams securely retrieve secrets programmatically, freeing up time to improve code quality and focus on what matters most.

A secrets manager does not operate in isolation. It connects to cloud environments, CI/CD pipelines, version control systems, and local machines, all of which depend on secrets to function. Here is a breakdown of the key components.

Environments

Each environment in a software development lifecycle, including development, staging, and production, serves a different purpose and requires its own set of secrets. Cloud providers like Azure, AWS, and Google may also interact with these environments to store and share data, adding another layer of credential management.

CI/CD tools

CI/CD (continuous integration/continuous delivery) pipelines automate the software delivery process and standardize feedback loops. Popular tools include GitHub Actions, GitLab Runners, Jenkins, CircleCI, and Bamboo, all of which rely on secrets to authenticate with external services and deploy code.

Git and version control

Git is a version control system that allows engineers to work simultaneously on a source code package or project. Popular Git platforms include GitHub, GitLab, and Bitbucket. Secrets managers help prevent sensitive credentials from being committed to these repositories.

Local development

Local development is software development work done in a local machine, like a computer or other device, before code is pushed to a shared codebase. Secrets management matters at this stage too; hardcoded credentials in local files can easily end up in a shared repository.

Engineering teams and the role of a secrets manager

A standard engineering structure consists of developers, DevOps, quality assurance (QA), and IT administrators. A secrets manager stores the secrets required for the tools, machines, and cloud providers these teams rely on to interact and authenticate with each other.

The diagram below illustrates how these components fit together in a full development ecosystem.

With the ecosystem in view, the next step is understanding how a secrets manager operates within it.

First, secrets are imported or manually added to a secrets manager vault, where they are protected from unauthorized access with encryption. Solutions that use end-to-end encryption provide the strongest security. Teams can organize secrets by project, environment, or application. Once secrets are added, the secrets manager serves as the source of truth for development and infrastructure credentials.

Next, secret access and edit permissions are assigned to the appropriate employees, like developers, DevOps engineers, and IT managers, following the principle of least privilege. Permissions can be scoped to individual employees or groups, and applied to individual secrets or collections of secrets. The same applies to machines: databases, applications, websites, and infrastructure that interact with the secrets should also have scoped permissions. The right permission structure depends on the business and use case.

Lastly, an access token and secure secret ID, generated from the secrets manager, is used in place of a plaintext secret in an env. file or script. If the user and machine have access to the secret in question, the secret value is securely pulled from the secrets manager, ready for use.

Secrets managers often include features beyond core storage and retrieval for added security and deployment flexibility:

• Audit trails - Capture timestamped records of all secret management actions to investigate potentially suspicious activity.

• Additional authentication options - Beyond a standard username and password, authentication options may include single sign-on, two-factor authentication (2FA), passkeys, biometrics, or directory integrations.

• Multiple hosting options - A secrets management solution can be hosted in the cloud or self-hosted on dedicated infrastructure for additional control.

• Integrations - Out-of-the-box integrations connect various machines, CI/CD pipelines, automation tools, and cloud providers.

• SDKs - Language-specific development tools in an installable package allow teams to create custom operations.

Take control of credentials across every environment with Bitwarden Secrets Manager, the end-to-end encrypted, open source secrets manager trusted by teams and businesses of all sizes.

Bitwarden Secrets Manager offers predictable pricing and unlimited secret storage on any plan, including a free plan for up to 2 users. Get started for free or start a 7-day business trial to explore all the enterprise features. For a personalized consultation, contact sales.