Where to securely store database passwords, API keys, and certificates? Not in code, not in .env, not in Confluence.
HashiCorp Vault¶
vault kv put secret/myapp db_password=”tajne” api_key=”sk_123” vault kv get -field=db_password secret/myapp
Python¶
import hvac client = hvac.Client(url=’https://vault:8200’, token=os.environ[‘VAULT_TOKEN’]) secret = client.secrets.kv.v2.read_secret_version(path=’myapp’)
Mozilla SOPS¶
sops –encrypt –age age1… config.yaml > config.enc.yaml sops –decrypt config.enc.yaml > config.yaml sops config.enc.yaml # In-place editing
Kubernetes — External Secrets Operator¶
apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: myapp-secrets spec: refreshInterval: 1h secretStoreRef: name: vault-backend data: - secretKey: DB_PASSWORD remoteRef: key: secret/myapp property: db_password
Key Takeaway¶
Vault for enterprise, SOPS for smaller teams. Secrets never in Git as plaintext, always auditable, always rotatable.