> ## Documentation Index > Fetch the complete documentation index at: https://docs.xloud.tech/llms.txt > Use this file to discover all available pages before exploring further. # Secret Store Management > Manage multiple secret store backends in Xloud Key Manager. List available stores, assign preferred stores to projects, and manage tiered security levels. ## Overview Key Manager supports multiple simultaneous secret store backends. Different stores can be assigned to different projects, providing tiered security levels — e.g., routing regulated projects to HSM-backed storage while using software crypto for development projects. **Administrator Access Required** — This operation requires the `admin` role. Contact your Xloud administrator if you do not have sufficient permissions. *** ## List Secret Stores ```bash title="List all configured secret stores" theme={null} openstack secret store list ``` ```bash title="Show the platform-default secret store" theme={null} openstack secret store get preferred ``` *** ## Assign a Store to a Project Assign a specific secret store to a project to override the platform default: ```bash title="Set preferred store for a project" theme={null} openstack secret store set preferred \ --secret-store-id ``` ```bash title="Show the preferred store for a project" theme={null} openstack secret store get preferred --project ``` ```bash title="Reset to platform default" theme={null} openstack secret store unset preferred ``` Changing a project's preferred store does not migrate existing secrets. Secrets created before the change remain in the original store. Only new secrets use the newly assigned store. *** ## Multi-Store Design Patterns | Pattern | Configuration | Use Case | | -------------------------- | ----------------------------------------------------- | ----------------------------------- | | **Single store (default)** | One `simple_crypto` or PKCS#11 backend | Homogeneous environment | | **Tiered security** | `simple_crypto` for dev, PKCS#11 for production | PCI-DSS, HIPAA, regulated workloads | | **Geographic isolation** | Per-region KMIP servers as separate stores | Data residency requirements | | **Workload separation** | HSM store for TLS keys, software store for API tokens | Cost optimization | *** ## Migration Between Stores Migrating existing secrets from one store to another is a manual process: Export all secret payloads from the current store. This requires read access to every secret in the project. ```bash title="Set new preferred store" theme={null} openstack secret store set preferred \ --secret-store-id ``` Store each payload as a new secret. The new secrets will be encrypted by the new store. Update any services, Load Balancer listeners, or containers that reference the old secret HREFs to point to the new secret HREFs. Once all references are updated and verified, delete the original secrets from the old store. *** ## Next Steps Configure the underlying backend for each secret store Manage RSA transport keys for client-side encryption Apply hardening policies for each store type Set per-project limits for secret creation