Secrets management

Secrets management

Simplify your secrets management infrastructure

What is a secret?

In software engineering, what are we referring to when we say secret?

A secret, at its essence, is a piece of sensitive information that you want to keep, well, secret.

Secrets come in many forms, and you’ve likely encountered more than one, such as a password, environment ID, API key, encryption key, authorization token, or something similar.

Keeping track of all of these keys, ID’s, tokens, etc. between developers and across multiple environments can become difficult to organize and maintain when there is no secrets infrastructure in place.

Which brings us to secrets management.

The importance of secrets management

Secrets management is the process and practice of consolidating sensitive information, and ensuring your secrets are secure, confidential, and manageable.

By implementing a proper secrets management infrastructure, you can fortify your team’s security posture, decrease DevOps friction, and improve developer efficiency.

With the right tools, secrets management can help you and your team:

  • Prevent secret sprawl and security islands

  • Keep sensitive information confidential

  • Prevent leaking secrets through code or breaches

  • Reduce breach risk with automatic credential rotation

  • Automate secret rotation and revocation

There are a myriad of secret management tools to pick from.

I’m going to talk about one in particular, Infisical.

Infisical

Infisical is an open-source secret management platform that is powerful, and easy to use.

All-in-one platform to securely manage application configuration and secrets across your team and infrastructure.

Getting started

To begin, let’s setup an Infisical account.

Once you’ve done that we can get up and running easily with the Infisical CLI.

I’m on MacOS so I installed the CLI with Homebrew:

brew install infisical/get-cli/infisical

If you’re on a different OS you can find installation instructions here.

Next, login to your Infisical account with the CLI:

infisical login

Then, connect your local project to an Infisical project:

infisical init

Now that Infisical is configured, we can harness the ease of cloud-based secrets management right away with the infisical run command.

The command structure is:

infisical run [options] -- [your application start command]

Let’s use the — env flag to specify from which environment we want to inject secrets.

I spun up a quick Next.js project with Bun so my command and output is the following:

Terminal output of the command “infisical run — env=dev bun run dev”, showing 5 secrets injected into the application process

And just like that, Infisical injected five secrets from my Infisical cloud development environment into my application process.

By default, the run command uses the dev environment but I like to be verbose.

You can inject secrets from other Infisical cloud project environments using the following environment slugs:

  • dev

  • staging

  • test

  • prod

These secrets will stay in sync across your team, as people add, edit, and remove them from any of your project’s environments. A single source of truth.

Wrapping up

That should be enough to get you started, but, Infisical has much more to offer if you’d like to further explore what’s possible.

You can sync secrets with your CI/CD pipelines, automatically detect secret leaks in your codebase with secret scanning, assign user roles to further specify secret access, create approval policies for secret modifications, or setup automatic credential rotation.

Check out their documentation if you’re interested.