> ## Documentation Index
> Fetch the complete documentation index at: https://docs.xloud.tech/llms.txt
> Use this file to discover all available pages before exploring further.
# Store Secrets
> Create, retrieve, and manage secrets in Xloud Key Manager using the Dashboard or CLI.
## Overview
Secrets are the fundamental resource in Xloud Key Manager. Each secret stores an
encrypted payload with type and algorithm metadata. Secrets are **project-scoped** —
they are visible only to users within the project that created them unless shared
via [ACL](/services/key-manager/acl). Secrets are referenced by UUID and payloads
are never returned in API responses outside of an explicit retrieve operation.
**Prerequisites**
* An active Xloud account with appropriate permissions
* Access to the **Xloud Dashboard** or CLI configured with credentials
* API credentials sourced (`source openrc.sh`)
**Project Scope** — All secrets created in Key Manager belong to the project
selected at the time of creation. Users in other projects cannot see or access
your secrets unless you explicitly grant access through an ACL. If you switch
projects in the Dashboard, you will see a different set of secrets.
***
## Secret Types
Xloud Key Manager supports six secret types. The type you select determines which
algorithm, key length, and encryption mode options are available.
| Type | Use Case | Example Payload |
| --------------- | ----------------------------------------------------------- | --------------------------- |
| **Opaque** | Arbitrary data — API keys, passwords, config values, tokens | Any text or binary data |
| **Symmetric** | Encryption keys for AES, DES, 3DES | Base64-encoded key material |
| **Public** | RSA, DSA, or EC public keys | PEM-encoded public key |
| **Private** | RSA, DSA, or EC private keys | PEM-encoded private key |
| **Certificate** | X.509 TLS/SSL certificates | PEM-encoded certificate |
| **Passphrase** | Passwords and passphrase strings | Plain text passphrase |
***
## Create a Secret
Create secrets through the Xloud Dashboard with a form that adapts
based on the selected secret type.
Navigate to **Key Manager > Secrets** in the sidebar.
Click **Create Secret** in the upper-right corner.
Enter a descriptive **Name** for your secret. This is a required field and serves
as a human-readable identifier (e.g., `db-root-password`, `app-tls-private-key`).
Choose the **Secret Type** from the dropdown. This selection controls which
additional fields appear in the form:
| Secret Type | Additional Fields Shown |
| --------------- | ------------------------------ |
| **Opaque** | No additional algorithm fields |
| **Symmetric** | Algorithm, Bit Length, Mode |
| **Public** | Algorithm, Bit Length |
| **Private** | Algorithm, Bit Length |
| **Certificate** | Algorithm, Bit Length |
| **Passphrase** | No additional algorithm fields |
For secret types that support cryptographic metadata, configure the following
fields. These fields appear dynamically based on your secret type selection:
**Algorithm** — Select the cryptographic algorithm:
| Secret Type | Available Algorithms |
| ----------- | -------------------- |
| Symmetric | AES, DES, 3DES |
| Public | RSA, DSA, EC |
| Private | RSA, DSA, EC |
| Certificate | RSA, EC |
**Bit Length** — Select the key size (appears after algorithm selection):
| Algorithm | Available Bit Lengths |
| --------- | --------------------- |
| AES | 128, 192, 256 |
| DES | 56 |
| 3DES | 168 |
| RSA | 2048, 3072, 4096 |
| DSA | 2048, 3072 |
| EC | 256, 384, 521 |
**Mode** — Select the block cipher mode (symmetric keys only):
| Mode | Description |
| ---- | ----------------------------------------------------------------- |
| CBC | Cipher Block Chaining — standard mode for block encryption |
| CTR | Counter mode — enables parallel encryption |
| GCM | Galois/Counter Mode — provides both encryption and authentication |
For symmetric encryption keys, AES-256 with GCM mode is recommended for
most use cases. It provides both strong encryption and built-in integrity
verification.
If your platform has multiple secret store backends configured, a **Secret Store
Backend** dropdown appears. Select which backend should store this secret.
The default backend is pre-selected and marked with **(Default)**.
This field only appears when the administrator has configured multiple
secret store backends. Most deployments use a single backend.
Use the **Expiration** date-time picker to set an optional expiration date for
the secret. After this date, the secret is no longer usable.
Key Manager does not send expiration alerts. Set external calendar reminders
to renew secrets before they expire, especially for certificates and
encryption keys used by running services.
Enter the secret value in the **Payload** text area. The form displays a
format hint based on the selected secret type:
| Secret Type | Payload Format Hint |
| ----------- | -------------------------------------------------------- |
| Opaque | Any text or data: API key, password, config value, token |
| Symmetric | Base64-encoded key. Generate: `openssl rand -base64 32` |
| Public | PEM format: `-----BEGIN PUBLIC KEY-----` |
| Private | PEM format: `-----BEGIN RSA PRIVATE KEY-----` |
| Certificate | PEM format: `-----BEGIN CERTIFICATE-----` |
| Passphrase | A passphrase or password string |
The payload field is optional at creation time. You can create a secret
without a payload and add it later via the API. However, most use cases
require providing the payload during creation.
If you entered a payload, select the **Payload Content Type**:
| Content Type | When to Use |
| -------------------------- | -------------------------------------- |
| `text/plain` | Passphrases, API keys, plain text data |
| `application/octet-stream` | Binary data, symmetric keys |
| `application/pkix-cert` | X.509 certificates, public keys |
If you do not select a content type, the system auto-selects based on
your secret type: `application/octet-stream` for symmetric keys,
`application/pkix-cert` for certificates, and `text/plain` for all others.
Click **Confirm** to create the secret. It appears in the Secrets list with
status **Active**.
Secret appears in the Secrets list with its UUID and Active status.
Store secrets using the `openstack secret store` command. Source your
project credentials first:
```bash title="Source credentials" theme={null}
source openrc.sh
```
```bash title="Store a passphrase" theme={null}
openstack secret store \
--name db-root-password \
--secret-type passphrase \
--payload "S3cur3P@ssw0rd!" \
--payload-content-type "text/plain"
```
```bash title="Store an AES-256 symmetric key" theme={null}
openstack secret store \
--name data-encryption-key \
--secret-type symmetric \
--algorithm aes \
--bit-length 256 \
--mode gcm \
--payload-content-type "application/octet-stream" \
--payload-content-encoding base64 \
--payload "$(openssl rand -base64 32)"
```
```bash title="Store a private key from file" theme={null}
openstack secret store \
--name app-tls-private-key \
--secret-type private \
--algorithm rsa \
--bit-length 4096 \
--payload-content-type "application/pkcs8" \
--payload-content-encoding base64 \
--payload "$(base64 -w 0 private_key.pem)"
```
```bash title="Store a certificate" theme={null}
openstack secret store \
--name app-tls-cert \
--secret-type certificate \
--algorithm rsa \
--bit-length 2048 \
--payload-content-type "application/pkix-cert" \
--payload-content-encoding base64 \
--payload "$(base64 -w 0 certificate.pem)"
```
```bash title="Store an opaque secret with expiration" theme={null}
openstack secret store \
--name temp-api-key \
--secret-type opaque \
--payload "temp-token-value-abc123" \
--payload-content-type "text/plain" \
--expiration "2026-12-31T23:59:59"
```
For binary payloads (private keys, certificates, symmetric keys), use
`--payload-content-encoding base64` and base64-encode the payload.
For text payloads (passphrases, API keys), use `text/plain` without encoding.
***
## Retrieve a Secret
Navigate to **Project > Key Manager > Secrets**. Click the secret name
to open the detail page.
The detail page shows:
| Field | Description |
| --------------- | --------------------------------------- |
| **Secret Type** | The type selected at creation |
| **Status** | Active or Error |
| **Mode** | Block cipher mode (symmetric keys only) |
| **Bit Length** | Key size in bits |
| **Created** | Creation timestamp |
| **Updated** | Last modification timestamp |
| **Expiration** | Expiration date, or `-` if none set |
The Dashboard does not display secret payloads after creation. To retrieve
a secret payload, use the CLI or API.
```bash title="List all secrets in your project" theme={null}
openstack secret list
```
```bash title="Show secret metadata (no payload)" theme={null}
openstack secret show
```
```bash title="Retrieve the secret payload" theme={null}
openstack secret get --payload
```
Treat retrieved payloads with the same care as any plaintext credential. Do not
log, store in environment variables without restriction, or pipe to commands that
might expose the value in process listings.
***
## Delete a Secret
Navigate to **Project > Key Manager > Secrets**. Select one or more
secrets using the checkboxes, then click **Delete** in the actions menu.
Alternatively, click the **More** menu on a single secret row and
select **Delete Secret**.
Confirm the deletion in the dialog. This action is permanent.
Deleting a secret is irreversible. If the secret is referenced by
containers, Load Balancer listeners, or volume encryption, those
references will break immediately. Update all references before deleting.
```bash title="Delete a secret" theme={null}
openstack secret delete
```
```bash title="Delete by name (if unique)" theme={null}
openstack secret delete $(openstack secret list --name db-root-password -f value -c "Secret href")
```
***
## Project Scope and Access
Secrets in Key Manager are **project-scoped** by default:
| Behavior | Description |
| ------------------------ | -------------------------------------------------------------------------------------- |
| **Visibility** | Secrets are visible only to users within the project that created them |
| **Cross-project access** | Not permitted unless explicitly granted via [ACL](/services/key-manager/acl) |
| **Project switching** | Switching projects in the Dashboard shows a different set of secrets |
| **Service access** | Services like the Load Balancer access secrets using the project's service credentials |
| **Admin access** | Platform administrators can view all secrets across projects from the admin panel |
To share a certificate or encryption key with another project, use an ACL
rather than storing duplicate copies. This ensures a single source of truth
and simplifies key rotation.
***
## Secret Type Reference
**Use case**: Store any arbitrary data — API keys, database passwords, configuration
values, OAuth tokens, or binary blobs.
No algorithm or key length metadata is required. This is the most flexible type
and the default selection.
```bash title="CLI example" theme={null}
openstack secret store \
--name github-api-token \
--secret-type opaque \
--payload "ghp_xxxxxxxxxxxxxxxxxxxx" \
--payload-content-type "text/plain"
```
**Use case**: Store symmetric encryption keys for AES, DES, or 3DES encryption.
Used for volume encryption, object storage encryption, and application-level encryption.
| Field | Options |
| ---------- | ------------------------------------ |
| Algorithm | AES, DES, 3DES |
| Bit Length | AES: 128/192/256, DES: 56, 3DES: 168 |
| Mode | CBC, CTR, GCM |
```bash title="CLI example — AES-256 GCM" theme={null}
openstack secret store \
--name volume-encryption-key \
--secret-type symmetric \
--algorithm aes --bit-length 256 --mode gcm \
--payload-content-type "application/octet-stream" \
--payload-content-encoding base64 \
--payload "$(openssl rand -base64 32)"
```
**Use case**: Store RSA, DSA, or EC public keys for key pair management,
signature verification, or encryption.
| Field | Options |
| ---------- | ---------------------------------------------------- |
| Algorithm | RSA, DSA, EC |
| Bit Length | RSA: 2048/3072/4096, DSA: 2048/3072, EC: 256/384/521 |
```bash title="CLI example — RSA 4096 public key" theme={null}
openstack secret store \
--name ssh-public-key \
--secret-type public \
--algorithm rsa --bit-length 4096 \
--payload-content-type "application/pkix-cert" \
--payload-content-encoding base64 \
--payload "$(base64 -w 0 id_rsa.pub)"
```
**Use case**: Store RSA, DSA, or EC private keys for TLS, SSH, or code signing.
Always pair with a corresponding public key or certificate.
| Field | Options |
| ---------- | ---------------------------------------------------- |
| Algorithm | RSA, DSA, EC |
| Bit Length | RSA: 2048/3072/4096, DSA: 2048/3072, EC: 256/384/521 |
```bash title="CLI example — RSA 4096 private key" theme={null}
openstack secret store \
--name app-tls-key \
--secret-type private \
--algorithm rsa --bit-length 4096 \
--payload-content-type "application/pkcs8" \
--payload-content-encoding base64 \
--payload "$(base64 -w 0 private_key.pem)"
```
**Use case**: Store X.509 TLS/SSL certificates for HTTPS termination,
mTLS authentication, or certificate chain management.
| Field | Options |
| ---------- | ------------------------------------ |
| Algorithm | RSA, EC |
| Bit Length | RSA: 2048/3072/4096, EC: 256/384/521 |
```bash title="CLI example — TLS certificate" theme={null}
openstack secret store \
--name app-tls-cert \
--secret-type certificate \
--algorithm rsa --bit-length 2048 \
--payload-content-type "application/pkix-cert" \
--payload-content-encoding base64 \
--payload "$(base64 -w 0 certificate.pem)"
```
**Use case**: Store passwords, passphrases, PINs, or other human-readable
credential strings. No algorithm metadata is required.
```bash title="CLI example" theme={null}
openstack secret store \
--name db-admin-password \
--secret-type passphrase \
--payload "MyS3cur3P@ssw0rd!" \
--payload-content-type "text/plain"
```
***
## Next Steps
Bundle secrets into named containers for TLS and key pair management
Store and manage TLS certificates using Key Manager
Share secrets across projects with fine-grained access control
Resolve 403 errors, payload retrieval failures, and expired secret issues