Overview
Key Manager supports multiple simultaneous secret store backends. Different stores can be assigned to different projects, providing tiered security levels — e.g., routing regulated projects to HSM-backed storage while using software crypto for development projects.List Secret Stores
List all configured secret stores
Show the platform-default secret store
Assign a Store to a Project
Assign a specific secret store to a project to override the platform default:Set preferred store for a project
Show the preferred store for a project
Reset to platform default
Multi-Store Design Patterns
| Pattern | Configuration | Use Case |
|---|---|---|
| Single store (default) | One simple_crypto or PKCS#11 backend | Homogeneous environment |
| Tiered security | simple_crypto for dev, PKCS#11 for production | PCI-DSS, HIPAA, regulated workloads |
| Geographic isolation | Per-region KMIP servers as separate stores | Data residency requirements |
| Workload separation | HSM store for TLS keys, software store for API tokens | Cost optimization |
Migration Between Stores
Migrating existing secrets from one store to another is a manual process:Retrieve existing secrets
Export all secret payloads from the current store. This requires read access to
every secret in the project.
Re-create secrets in the new store
Store each payload as a new secret. The new secrets will be encrypted by the new store.
Update all references
Update any services, Load Balancer listeners, or containers that reference the old
secret HREFs to point to the new secret HREFs.
Next Steps
Backend Configuration
Configure the underlying backend for each secret store
Transport Keys
Manage RSA transport keys for client-side encryption
Security
Apply hardening policies for each store type
Quotas
Set per-project limits for secret creation