Store Secrets

Overview

Secrets are the fundamental resource in Xloud Key Manager. Each secret stores an encrypted payload with type and algorithm metadata. Secrets are project-scoped — they are visible only to users within the project that created them unless shared via ACL. Secrets are referenced by UUID and payloads are never returned in API responses outside of an explicit retrieve operation.

Prerequisites

An active Xloud account with appropriate permissions
Access to the Xloud Dashboard or CLI configured with credentials
API credentials sourced (source openrc.sh)

Project Scope — All secrets created in Key Manager belong to the project selected at the time of creation. Users in other projects cannot see or access your secrets unless you explicitly grant access through an ACL. If you switch projects in the Dashboard, you will see a different set of secrets.

Secret Types

Xloud Key Manager supports six secret types. The type you select determines which algorithm, key length, and encryption mode options are available.

Type	Use Case	Example Payload
Opaque	Arbitrary data — API keys, passwords, config values, tokens	Any text or binary data
Symmetric	Encryption keys for AES, DES, 3DES	Base64-encoded key material
Public	RSA, DSA, or EC public keys	PEM-encoded public key
Private	RSA, DSA, or EC private keys	PEM-encoded private key
Certificate	X.509 TLS/SSL certificates	PEM-encoded certificate
Passphrase	Passwords and passphrase strings	Plain text passphrase

Create a Secret

Dashboard
CLI

Create secrets through the Xloud Dashboard with a form that adapts based on the selected secret type.

Navigate to Key Manager

Navigate to Key Manager > Secrets in the sidebar.Click Create Secret in the upper-right corner.

Enter the secret name

Enter a descriptive Name for your secret. This is a required field and serves as a human-readable identifier (e.g., db-root-password, app-tls-private-key).

Select the secret type

Choose the Secret Type from the dropdown. This selection controls which additional fields appear in the form:

Secret Type	Additional Fields Shown
Opaque	No additional algorithm fields
Symmetric	Algorithm, Bit Length, Mode
Public	Algorithm, Bit Length
Private	Algorithm, Bit Length
Certificate	Algorithm, Bit Length
Passphrase	No additional algorithm fields

Configure algorithm options (if applicable)

For secret types that support cryptographic metadata, configure the following fields. These fields appear dynamically based on your secret type selection:Algorithm — Select the cryptographic algorithm:

Secret Type	Available Algorithms
Symmetric	AES, DES, 3DES
Public	RSA, DSA, EC
Private	RSA, DSA, EC
Certificate	RSA, EC

Bit Length — Select the key size (appears after algorithm selection):

Algorithm	Available Bit Lengths
AES	128, 192, 256
DES	56
3DES	168
RSA	2048, 3072, 4096
DSA	2048, 3072
EC	256, 384, 521

Mode — Select the block cipher mode (symmetric keys only):

Mode	Description
CBC	Cipher Block Chaining — standard mode for block encryption
CTR	Counter mode — enables parallel encryption
GCM	Galois/Counter Mode — provides both encryption and authentication

For symmetric encryption keys, AES-256 with GCM mode is recommended for most use cases. It provides both strong encryption and built-in integrity verification.

Select a secret store backend (optional)

If your platform has multiple secret store backends configured, a Secret Store Backend dropdown appears. Select which backend should store this secret.The default backend is pre-selected and marked with (Default).

This field only appears when the administrator has configured multiple secret store backends. Most deployments use a single backend.

Set an expiration date (optional)

Use the Expiration date-time picker to set an optional expiration date for the secret. After this date, the secret is no longer usable.

Key Manager does not send expiration alerts. Set external calendar reminders to renew secrets before they expire, especially for certificates and encryption keys used by running services.

Enter the payload

Enter the secret value in the Payload text area. The form displays a format hint based on the selected secret type:

Secret Type	Payload Format Hint
Opaque	Any text or data: API key, password, config value, token
Symmetric	Base64-encoded key. Generate: `openssl rand -base64 32`
Public	PEM format: `-----BEGIN PUBLIC KEY-----`
Private	PEM format: `-----BEGIN RSA PRIVATE KEY-----`
Certificate	PEM format: `-----BEGIN CERTIFICATE-----`
Passphrase	A passphrase or password string

The payload field is optional at creation time. You can create a secret without a payload and add it later via the API. However, most use cases require providing the payload during creation.

Select payload content type

If you entered a payload, select the Payload Content Type:

Content Type	When to Use
`text/plain`	Passphrases, API keys, plain text data
`application/octet-stream`	Binary data, symmetric keys
`application/pkix-cert`	X.509 certificates, public keys

If you do not select a content type, the system auto-selects based on your secret type: application/octet-stream for symmetric keys, application/pkix-cert for certificates, and text/plain for all others.

Create the secret

Click Confirm to create the secret. It appears in the Secrets list with status Active.

Secret appears in the Secrets list with its UUID and Active status.

Store secrets using the openstack secret store command. Source your project credentials first:

Source credentials

source openrc.sh

openstack secret store \
  --name db-root-password \
  --secret-type passphrase \
  --payload "S3cur3P@ssw0rd!" \
  --payload-content-type "text/plain"

For binary payloads (private keys, certificates, symmetric keys), use --payload-content-encoding base64 and base64-encode the payload. For text payloads (passphrases, API keys), use text/plain without encoding.

Retrieve a Secret

Dashboard
CLI

View secret metadata

Navigate to Project > Key Manager > Secrets. Click the secret name to open the detail page.The detail page shows:

Field	Description
Secret Type	The type selected at creation
Status	Active or Error
Mode	Block cipher mode (symmetric keys only)
Bit Length	Key size in bits
Created	Creation timestamp
Updated	Last modification timestamp
Expiration	Expiration date, or `-` if none set

Retrieve the payload

The Dashboard does not display secret payloads after creation. To retrieve a secret payload, use the CLI or API.

List all secrets in your project

openstack secret list

Show secret metadata (no payload)

openstack secret show <secret-href>

Retrieve the secret payload

openstack secret get <secret-href> --payload

Treat retrieved payloads with the same care as any plaintext credential. Do not log, store in environment variables without restriction, or pipe to commands that might expose the value in process listings.

Delete a Secret

Dashboard
CLI

Select secrets to delete

Navigate to Project > Key Manager > Secrets. Select one or more secrets using the checkboxes, then click Delete in the actions menu.Alternatively, click the More menu on a single secret row and select Delete Secret.

Confirm deletion

Confirm the deletion in the dialog. This action is permanent.

Deleting a secret is irreversible. If the secret is referenced by containers, Load Balancer listeners, or volume encryption, those references will break immediately. Update all references before deleting.

openstack secret delete <secret-href>

Project Scope and Access

Secrets in Key Manager are project-scoped by default:

Behavior	Description
Visibility	Secrets are visible only to users within the project that created them
Cross-project access	Not permitted unless explicitly granted via ACL
Project switching	Switching projects in the Dashboard shows a different set of secrets
Service access	Services like the Load Balancer access secrets using the project’s service credentials
Admin access	Platform administrators can view all secrets across projects from the admin panel

To share a certificate or encryption key with another project, use an ACL rather than storing duplicate copies. This ensures a single source of truth and simplifies key rotation.

Secret Type Reference

Opaque

Use case: Store any arbitrary data — API keys, database passwords, configuration values, OAuth tokens, or binary blobs.No algorithm or key length metadata is required. This is the most flexible type and the default selection.

CLI example

openstack secret store \
  --name github-api-token \
  --secret-type opaque \
  --payload "ghp_xxxxxxxxxxxxxxxxxxxx" \
  --payload-content-type "text/plain"

Symmetric

Use case: Store symmetric encryption keys for AES, DES, or 3DES encryption. Used for volume encryption, object storage encryption, and application-level encryption.

Field	Options
Algorithm	AES, DES, 3DES
Bit Length	AES: 128/192/256, DES: 56, 3DES: 168
Mode	CBC, CTR, GCM

CLI example — AES-256 GCM

openstack secret store \
  --name volume-encryption-key \
  --secret-type symmetric \
  --algorithm aes --bit-length 256 --mode gcm \
  --payload-content-type "application/octet-stream" \
  --payload-content-encoding base64 \
  --payload "$(openssl rand -base64 32)"

Public Key

Use case: Store RSA, DSA, or EC public keys for key pair management, signature verification, or encryption.

Field	Options
Algorithm	RSA, DSA, EC
Bit Length	RSA: 2048/3072/4096, DSA: 2048/3072, EC: 256/384/521

CLI example — RSA 4096 public key

openstack secret store \
  --name ssh-public-key \
  --secret-type public \
  --algorithm rsa --bit-length 4096 \
  --payload-content-type "application/pkix-cert" \
  --payload-content-encoding base64 \
  --payload "$(base64 -w 0 id_rsa.pub)"

Private Key

Use case: Store RSA, DSA, or EC private keys for TLS, SSH, or code signing. Always pair with a corresponding public key or certificate.

Field	Options
Algorithm	RSA, DSA, EC
Bit Length	RSA: 2048/3072/4096, DSA: 2048/3072, EC: 256/384/521

CLI example — RSA 4096 private key

openstack secret store \
  --name app-tls-key \
  --secret-type private \
  --algorithm rsa --bit-length 4096 \
  --payload-content-type "application/pkcs8" \
  --payload-content-encoding base64 \
  --payload "$(base64 -w 0 private_key.pem)"

Certificate

Use case: Store X.509 TLS/SSL certificates for HTTPS termination, mTLS authentication, or certificate chain management.

Field	Options
Algorithm	RSA, EC
Bit Length	RSA: 2048/3072/4096, EC: 256/384/521

CLI example — TLS certificate

openstack secret store \
  --name app-tls-cert \
  --secret-type certificate \
  --algorithm rsa --bit-length 2048 \
  --payload-content-type "application/pkix-cert" \
  --payload-content-encoding base64 \
  --payload "$(base64 -w 0 certificate.pem)"

Passphrase

Use case: Store passwords, passphrases, PINs, or other human-readable credential strings. No algorithm metadata is required.

CLI example

openstack secret store \
  --name db-admin-password \
  --secret-type passphrase \
  --payload "MyS3cur3P@ssw0rd!" \
  --payload-content-type "text/plain"

Next Steps

Containers

Bundle secrets into named containers for TLS and key pair management

Certificates

Store and manage TLS certificates using Key Manager

Access Control (ACL)

Share secrets across projects with fine-grained access control

Troubleshooting

Resolve 403 errors, payload retrieval failures, and expired secret issues

Core Services

Other Services

Store Secrets

Overview

Secret Types

Create a Secret

Navigate to Key Manager

Enter the secret name

Select the secret type

Configure algorithm options (if applicable)

Select a secret store backend (optional)

Set an expiration date (optional)

Enter the payload

Select payload content type

Create the secret

Retrieve a Secret

View secret metadata

Retrieve the payload

Delete a Secret

Select secrets to delete

Confirm deletion

Project Scope and Access

Secret Type Reference

Next Steps

Containers

Certificates

Access Control (ACL)

Troubleshooting

Core Services

Other Services

Documentation Index

​Overview

​Secret Types

​Create a Secret

Navigate to Key Manager

Enter the secret name

Select the secret type

Configure algorithm options (if applicable)

Select a secret store backend (optional)

Set an expiration date (optional)

Enter the payload

Select payload content type

Create the secret

​Retrieve a Secret

View secret metadata

Retrieve the payload

​Delete a Secret

Select secrets to delete

Confirm deletion

​Project Scope and Access

​Secret Type Reference

​Next Steps

Containers

Certificates

Access Control (ACL)

Troubleshooting

Overview

Secret Types

Create a Secret

Retrieve a Secret

Delete a Secret

Project Scope and Access

Secret Type Reference

Next Steps