Managing Secrets
Secrets management is a critical component of application security in Quant Cloud. The platform provides encrypted storage and secure injection of sensitive data like API keys, database passwords, certificates, and authentication tokens into your containers as environment variables.
Secrets are managed through the Environment & Secrets tab on your environment details page, where they’re stored in an encrypted secret store that provides enhanced security compared to standard environment variables.
Managing Secrets
Viewing Secret Names The interface displays the names (keys) of all secrets defined for your environment. Secret values are never displayed for security reasons - only the secret names are visible.
Adding New Secrets Click “Add Secret” to create a new secret. You’ll need to provide:
-
Name: The secret identifier (e.g.,
STRIPE_API_KEY
,JWT_SECRET
,OAUTH_CLIENT_SECRET
)- Must be unique within the environment
- Cannot conflict with environment variable names
- Follow standard naming conventions (uppercase, underscores, alphanumeric)
-
Value: The sensitive data to be encrypted and stored securely
Updating Existing Secrets To update a secret’s value, select the secret and provide a new value. The secret name cannot be changed - to rename a secret, delete the existing one and create a new secret with the desired name.
Removing Secrets Delete secrets that are no longer needed. Ensure no containers are referencing the secret before deletion to avoid runtime errors.
How Secrets Work
Automatic Injection as Environment Variables Secrets are automatically injected into all containers within the environment as environment variables. Unlike standard environment variables, secrets are encrypted at rest and securely delivered to your containers at runtime.
Environment Variable Mapping You can also create custom mappings for secrets through individual container configuration:
- Navigate to your environment’s “Edit Config” page
- Expand the container you want to configure
- Enable “Show Advanced Options” to reveal the secrets section
- Map secrets to specific environment variable names within that container
Each mapping allows you to:
- Choose the secret from your environment’s secret store
- Specify the environment variable name as it will appear inside the container
- Override the default naming if needed for your application
Environment Isolation Secrets are not automatically propagated between environments. Each environment maintains its own independent secret store, ensuring that:
- Production secrets remain isolated from development environments
- Different API keys can be used for different environments
- Secret rotation can be performed per environment as needed
Automatic Database Secrets
When you enable a managed database for your application, Quant Cloud automatically creates and manages database connection secrets for you:
DB_HOST
: Database server hostnameDB_USERNAME
: Database usernameDB_PASSWORD
: Database passwordDB_DATABASE
: Database name
These secrets are automatically injected into all containers in the environment, providing secure database connectivity without manual configuration. The database credentials are unique to each environment and automatically rotated as needed.
Security Benefits
Encryption at Rest All secret values are encrypted using industry-standard encryption before being stored. Secret values are never stored in plain text.
Secure Transmission Secrets are securely transmitted to containers using encrypted channels, ensuring sensitive data is protected in transit.
Access Control Secret values are never displayed in logs, process lists, or the management interface after creation. Only authorized containers can access secret values at runtime.
Audit Trail Secret management operations (creation, updates, deletion) are logged for security auditing and compliance purposes.
Best Practices
Secret Naming
- Use descriptive names that indicate the secret’s purpose (e.g.,
STRIPE_SECRET_KEY
,JWT_SIGNING_SECRET
) - Follow consistent naming conventions across your organization
- Group related secrets with prefixes (e.g.,
OAUTH_CLIENT_ID
,OAUTH_CLIENT_SECRET
)
Secret Rotation
- Regularly rotate API keys and passwords
- Update secrets in all relevant environments when rotating
- Test applications after secret updates to ensure connectivity
Environment Strategy
- Use different secrets for each environment (development, staging, production)
- Never share production secrets with non-production environments
- Implement least-privilege access by environment
Value Management
- Store backup copies of critical secrets in a secure password manager
- Document the purpose and source of each secret
- Remove unused secrets to minimize security exposure
Secrets provide the foundation for secure application configuration, ensuring that sensitive data is protected while remaining easily accessible to your applications at runtime.