NavigationContentFooter
Jump toSuggest an edit
Was this page helpful?

Differences between Key Manager and Secret Manager

Reviewed on 06 February 2025Published on 06 February 2025

Secret Manager and Key Manager are both security-focused products aiming to help you protect your data and improve the security of your infrastructure. The difference between the two of them is not always clear, and you may be unsure which one is most appropriate for your use-case.

This page helps you answer that question.

Secret ManagerLink to this anchor

Secret Manager stores various secrets that your applications might need to access at some point. For example, when your application needs to call an external API service or connect to a database, it fetches the API token or the credentials from Secret Manager before proceeding.

Secrets can be largely anything you want: API tokens, credentials to connect to a database, or simply sensitive data. There are no limits, other than the size of the secrets which is limited to 64 KiB.

Key ManagerLink to this anchor

In contrast, Key Manager only stores cryptographic keys. At first, Key Manager may seem to be just a limited version of Secret Manager, for keys only.

It is indeed true that Secret Manager could also store cryptographic keys and hand them over to applications that need to perform cryptographic operations.

However, this approach can lead to serious security problems such as:

  • inadvertently storing your keys in plaintext, or exposing them (e.g. in logs)
  • incorrect (re-)use of keys: your application would be responsible for using the key correctly, which is harder than it first seems.
  • not disposing of the key properly after use (e.g. letting it reside in the swap disk)

These are typical key management problems that are not effectively solved by Secret Manager, hence the need for Key Manager.

Key Manager does not simply give you any requested key. All keys residing in Key Manager never (and never will) leave Key Manager, since there is no way to extract them by design.

Since you cannot extract keys, Key Manager performs the cryptographic operations for you. This means that your application supplies the plaintext to be encrypted, or the ciphertext to be decrypted. Your application is no longer responsible for managing the keys and using them properly as Key Manager takes care of it.

Last, but not least, Key Manager provides another way of authorizing certain actions. You might want to authorize some principals only to encrypt data, and others only to decrypt data.

Let us take the example of an application that receives sensitive health data that needs to be encrypted before being inserted into a database. The application would be able to ask Key Manager to carry out encryption operations, but not decryption operations, so it cannot read the sensitive data already stored.

This would not be possible to achieve with Secret Manager, since both writing and reading applications would need permissions to read the key from Secret Manager, which is sufficient to both encrypt and decrypt the data.

Cryptographic keys are secrets that need special care, and Key Manager is an effective tool to help you manage them securely. Key Manager allows your applications to offload all sensitive cryptographic operations and keep keys out-of-band for extra security.

Was this page helpful?
API DocsScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCareers
© 2023-2025 – Scaleway