Is it acceptable to store environment variables and application secrets together?

Configuration settings are the values that vary between deployments of the same application to different execution environments, like a test and production environment.

The configuration settings, or environment variables, include both secret and non-secret values but people often differentiate between them and talk about application secrets and environment variables (the non-secret ones) as distinct things.

Storing and managing application secrets properly is a non-trivial task. It is a topic that gets some attention and there are a number of options available to use.

Since the focus is on the secrets it may not be obvious how to deal with the non-secret variables. Should they be treated differently than the secrets?

Secrets should be protected properly and ideally they should change regularly while non-secret variables tend to change rarely and their exposure has no major impact on the company or their users. Otherwise secret and non-secret environment variables are pretty similar. It makes sense to store and manage them together because you will have less overhead, less infrastructure expenses and only one management system to maintain. The extra security also provides protection for the times when non-secret variables are more sensitive than expected.

In addition you will get some features that are normally only associated with secrets management. Depending on your management solution these may include:

  • Audit logs
  • Versioning
  • Access control
  • Synchronisation between team members
  • Management functions for multiple environments

In general the secrets and non-secrets should be managed together …

In general the secrets and non-secrets should be managed together unless there is a specific reason not to. One such reason could be when you use a paid-for secrets management service that charges per secret, in which case the decision will be mostly influenced by your budget.

Comments or questions?

Contact me

Was this article helpful?

Learn more about secure credential deployment.
Subscribe to get new articles delivered to your inbox.

No spam. Unsubscribe at any time.