Hanzo
PlatformHanzo KMSPlatformDynamic Secrets

Dynamic Secrets

Learn how to generate secrets dynamically on-demand.

Note that Dynamic Secrets is a paid feature.

Introduction

Contrary to static key-value secrets, which require manual input of data into the secure Hanzo KMS storage, dynamic secrets are generated on-demand upon access.

Dynamic secrets are unique to every identity using them. Such secrets come are generated only at the moment they are retrieved, eliminating the possibility of theft or reuse by another identity. Thanks to Hanzo KMS's integrated revocation capabilities, dynamic secrets can be promptly invalidated post-use, significantly reducing their lifespan.

Benefits of Dynamic Secrets

This approach offers several advantages in terms of security and management:

  • Enhanced Security: By frequently changing secrets, dynamic secrets minimize the risk associated with secret compromise. Even if an attacker manages to obtain a secret, it would likely be invalid by the time they attempt to use it.
  • Reduced Secret Lifetime: The limited validity period of dynamic secrets means that they are less valuable targets for attackers. This inherently reduces the time window during which a secret can be exploited.
  • Automated Management: Dynamic secrets enable automated systems to handle the generation, distribution, revocation, and rotation of secrets without human intervention, thus reducing the risk of human error.
  • Auditing and Traceability: The generation of dynamic secrets can be tightly controlled and monitored. This allows for detailed auditing of who accessed what secret and when, improving overall security posture and compliance with regulatory standards.
  • Scalability: Dynamic secret management systems can scale more effectively to handle a large number of services and applications, as they automate much of the overhead associated with manual secret management.

Dynamic secrets are particularly useful in environments with stringent security requirements, such as cloud environments, distributed systems, and microservices architectures, where they help to manage database credentials, API keys, tokens, and other types of secrets.

Hanzo KMS Dynamic Secret Templates

  1. PostgreSQL
  2. MySQL
  3. Cassandra
  4. Oracle
  5. Redis
  6. AWS IAM

FAQ

This usually happens when the SQL statements defined for creating or revoking the secret are not compatible with your database provider.

Different SQL engines have different expectations for quoting identifiers and values. For example, some use backticks (`username`), others use single quotes ('username'), and some expect double quotes ("username"). A statement that works on one provider might fail on another.

Recommendation:
Make sure to adjust your SQL statements to follow the syntax required by your specific database provider. Always test them directly on your target database to ensure they execute without errors.

How is this guide?

Last updated on

JumpCloud LDAP

Learn how to configure JumpCloud LDAP for authenticating into Hanzo KMS.

PostgreSQL

Learn how to dynamically generate PostgreSQL database users.

On this page

Introduction
Benefits of Dynamic Secrets
Hanzo KMS Dynamic Secret Templates