OVHcloud Secret Manager

Discover OVHcloud Secret Manager

The OVHcloud Secret Manager is a new managed service in the Data Security suite, designed to:

• Protect your Secrets (credentials, API keys, etc.) and ensure they cannot be stolen, tampered with, or lost

• Use them securely in your own applications or OVHcloud services through a fully managed interface

• Control, automate, and log all access to these secrets

OVHcloud will soon launch its new Secret Manager service.
This service enables dynamic retrieval of Secrets, removing the need to store sensitive data directly within your applications.
It also provides full access control via native integration with OVHcloud Identity and Access Management (IAM) and comprehensive audit logs through OVHcloud Logs Data Platform.

To ensure full service portability and reversibility, OVHcloud Secret Manager offers two sets of APIs:

• An API compatible with the HashiCorp Vault KV2 interface, making it easy to migrate between Vault/Secret Managers

• A REST API similar to OVHcloud Key Management Service (KMS), supporting hybrid use cases involving both KMS and Secret Manager

The roadmap for OVHcloud Secret Manager is available on GitHub: https://github.com/orgs/ovh/projects/16/views/11

How does it work?

A Secret stored in OVHcloud Secret Manager consists of a set of one or more key/value pairs.
Each Secret change creates a new version, allowing you to review or revert to previous values of a same Secret.

You can retrieve the content of a Secret in JSON format via the OVHcloud Control Panel or API, and use it in any application, script, or automation.

The native IAM integration allows fine-grained control over who can manage or access each Secret.
In addition, real-time and historical audit logs are available via the OVHcloud Logs Data Platform.

How does OVHcloud ensure the security of your Secrets?

OVHcloud Secret Manager is built on the same backend as OVHcloud Key Management Service (KMS).

All Secrets are encrypted with a key managed by OVHcloud KMS, offering the same security and availability as other KMS-managed keys.
The Secret Manager shares the same region availability and replicated architecture as KMS, detailed here:
https://help.ovhcloud.com/csm/en-kms-architecture?id=kb_article_view&sysparm_article=KB0063349

What’s next on the roadmap?

Upcoming features:

• Ability to choose the encryption key

• Secret rotation notifications

• Multi-region Secret support