Reference

Glossary

Key terms in secrets management, explained.

Dynamic Secrets
Credentials generated on demand with a short time-to-live (TTL). Each consumer gets a unique secret that expires automatically, minimizing the blast radius if compromised. HashiCorp Vault and Akeyless are notable providers of dynamic secrets.
Secrets Sprawl
The uncontrolled proliferation of secrets across config files, CI/CD tools, environment variables, wikis, chat messages, and developer machines. Sprawl makes it impossible to audit who has access to what and dramatically increases breach risk.
Envelope Encryption
A two-layer encryption pattern where data is encrypted with a data encryption key (DEK), and the DEK itself is encrypted with a key encryption key (KEK) stored in a vault or KMS. This limits the amount of data the vault must process directly.
Zero-Knowledge Architecture
A system design where the service provider never has access to the plaintext secrets. The provider stores and transmits only encrypted data, and decryption happens exclusively on the client side. Akeyless and SplitSecure use variations of this approach.
Secret Rotation
The practice of periodically replacing a secret with a new value and revoking the old one. Automated rotation reduces the window of exposure if a credential is leaked. Most cloud-native secret managers and vaults support scheduled rotation.
Privileged Access Management (PAM)
A category of security solutions focused on controlling and monitoring access to critical systems by privileged accounts (admins, service accounts, root). PAM tools like CyberArk vault credentials, enforce session recording, and provide just-in-time access.
Just-in-Time (JIT) Access
A model where users or services are granted access to a secret only when needed and for a limited duration. Access is revoked automatically after the task completes or the time window expires, reducing standing privileges.
Sidecar Injection
A pattern in Kubernetes and containerized environments where a helper container (sidecar) runs alongside the application container to fetch and inject secrets. The app never communicates with the vault directly, simplifying application code.
HSM (Hardware Security Module)
A dedicated physical device for generating, storing, and managing cryptographic keys. HSMs provide tamper-resistant key storage and are used by cloud KMS services and on-premise vaults to protect master keys.
Secrets Engine
A component within a secrets manager (notably HashiCorp Vault) that generates, stores, or encrypts data. Different engines handle different secret types: database credentials, AWS IAM keys, PKI certificates, or transit encryption.
Least-Privilege Access
The security principle of granting users, services, and applications only the minimum set of permissions required to perform their tasks. In secrets management, this means scoping access to specific secrets rather than entire vaults or namespaces.
Secret Scanning
The automated detection of credentials, tokens, and keys in source code, commit history, CI/CD logs, and other artifacts. Tools like GitLeaks, TruffleHog, and GitHub Secret Scanning identify exposed secrets before or after they are committed.