Secrets Manager


Secrets Manager is a single secure service for storing and managing sensitive data. The service is now in beta testing.

Sensitive data includes database passwords, SSH keys, API keys, SSL certificates and their private keys, and other credentials.

Secrets Manager provides secure access to applications, databases, and services that use sensitive data inside Selectel services. It can also be used to store sensitive data that is used on external services.

Users who have access to the Cloud platform project can manage project secrets in the Control panel and in the external panel.

The history of operations is available to audit access to secrets and swiftly respond to potential security threats. It shows all actions performed on secrets by users. To view the operations in the Control panel, go to Cloud platform ⟶ Secrets ⟶ Operations tab.

Secrets Manager benefits:

  • centralized secrets storage;
  • storing secrets in encrypted form (AES 256-GCM);
  • using TLS encryption for data transfer;
  • audit secrets access (history of operations);
  • easy usage of secrets for both people and automatic systems;
  • minimum attack perimeter — all secrets are stored in a single repository that only authorized users have access to.

Billing and Payment

During the beta testing period, the service is not billed and is provided free of charge. We will inform you about the start of billing in advance.

Managing Secrets

To add sensitive data to the Secrets Manager, from the Control panel:

  1. Go to Cloud platform ⟶ Secrets.

  2. Click Create a secret.

  3. Enter:

    • Secret name that is its unique key. Once the secret has been created, the name cannot be changed;
    • Value can be a password, API key, certificate key, etc. The limit is 65536 characters;
    • Description.
  4. Click Create.

You can also create secrets and access them through the API.

For your applications to access secrets, place the REST API call code in your application source code instead of the access data specified as text. It allows you to retrieve sensitive data programmatically using the Secret Manager API.