{"id":9842,"date":"2021-11-02T12:00:32","date_gmt":"2021-11-02T11:00:32","guid":{"rendered":"http:\/\/www.orbit.cz\/?post_type=encyklopedie-cloudu&#038;p=9842"},"modified":"2025-09-03T10:01:24","modified_gmt":"2025-09-03T08:01:24","slug":"sifrovaci-klice-kam-s-nimi-a-jak-pracovat-s-aplikacnimi-tajnostmi-v-cloudu","status":"publish","type":"encyklopedie-cloudu","link":"http:\/\/4.184.192.234\/en\/encyklopedie-cloudu\/sifrovaci-klice-kam-s-nimi-a-jak-pracovat-s-aplikacnimi-tajnostmi-v-cloudu\/","title":{"rendered":"Encryption keys: where to put them and how to work with application secrets in the cloud?"},"content":{"rendered":"<div class=\"wp-block-image\">\n<figure class=\"aligncenter is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1120\" height=\"520\" src=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/11\/sifrovaci-klice-a-aplikacni-tajnosti-v-cloudu.png\" alt=\"Encryption keys and application secrets in the cloud | ORBIT Cloud Encyclopedia \" class=\"wp-image-9530\" style=\"width:777px;height:auto\" srcset=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/11\/sifrovaci-klice-a-aplikacni-tajnosti-v-cloudu.png 1120w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/11\/sifrovaci-klice-a-aplikacni-tajnosti-v-cloudu-300x139.png 300w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/11\/sifrovaci-klice-a-aplikacni-tajnosti-v-cloudu-1024x475.png 1024w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/11\/sifrovaci-klice-a-aplikacni-tajnosti-v-cloudu-768x357.png 768w\" sizes=\"auto, (max-width: 1120px) 100vw, 1120px\" \/><\/figure>\n<\/div>\n\n\n<p><strong>Encryption keys, application passwords or other secrets are the same as house keys. You don't want to lose them, they need to be safe, and they should be replaced from time to time. The days when the database password was directly part of the application code are thankfully gone. The typical trend is to store passwords securely outside the application. So today we'll take a detailed look at how to work with passwords or secrets in general in the cloud and what tools we can use.<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What keys or secrets will we encounter?<\/h3>\n\n\n\n<p>Working with keys or other secrets can be divided into two basic areas: management&nbsp;<strong>encryption keys<\/strong>&nbsp;and the report&nbsp;<strong>application secrets<\/strong>. Neither of them should be underestimated.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Encryption keys<\/h2>\n\n\n\n<p>Encryption keys are an essential component for data encryption. The generally recommended approach is&nbsp;<strong>encrypt data anytime, anywhere<\/strong>, however, in this article we will focus on data encryption in the cloud. First, let's divide it into&nbsp;<strong>encryption during transmission<\/strong>&nbsp;(data in transit) a&nbsp;<strong>encryption of stored data<\/strong>&nbsp;(data at rest).<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter is-resized\"><a href=\"https:\/\/www.slideshare.net\/AmazonWebServices\/aws-security-webinar-the-key-to-effective-cloud-encryption\"><img loading=\"lazy\" decoding=\"async\" width=\"1740\" height=\"976\" src=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/1635845334895.jpg\" alt=\"Ubiquitous Encryption | Encryption Keys and Application Secrets in the Cloud | ORBIT Cloud Encyclopedia\" class=\"wp-image-9852\" style=\"width:621px;height:auto\" srcset=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/1635845334895.jpg 1740w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/1635845334895-300x168.jpg 300w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/1635845334895-1024x574.jpg 1024w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/1635845334895-768x431.jpg 768w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/1635845334895-1536x862.jpg 1536w\" sizes=\"auto, (max-width: 1740px) 100vw, 1740px\" \/><\/a><figcaption class=\"wp-element-caption\">Ubiquitous Encryption (slideshare.net)<\/figcaption><\/figure>\n<\/div>\n\n\n<h3 class=\"wp-block-heading\">Data encryption during transmission<\/h3>\n\n\n\n<p>This method of encryption is typically implemented using technologies&nbsp;<em>SSL\/TLS<\/em>&nbsp;or&nbsp;<em>IPsec<\/em>. The aim of these technologies, or protocols, is to secure the data transmission itself. For simplicity, we can think of these protocols as a secure tunnel between devices. The data inside this tunnel is accessible to the individual end devices, but the outside world (e.g., the ISP's devices) cannot see into this tunnel. A typical representative&nbsp;<em>encryption data in transit<\/em>&nbsp;is familiar to all of us&nbsp;<strong>https protocol<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption of stored data<\/h3>\n\n\n\n<p>In this area, which is more interesting for us in terms of cloud usage, two basic approaches are usually applied, namely<strong>&nbsp;<\/strong>client-side encryption and server-side encryption.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Client-side encryption<\/strong><\/h4>\n\n\n\n<p>The implementation of client-side encryption is always individual, since (as the name implies) the client (typically the application) is responsible for encryption. The data is therefore&nbsp;<strong>encrypted by the application itself before being stored in the cloud<\/strong>.<\/p>\n\n\n\n<p>The implementation of client-side encryption is therefore always up to the developer of the application itself. Generally speaking, it provides higher confidence than server-side encryption (because we have complete control over the encryption), but on the other hand it also brings some potential problems&nbsp;<strong>- complicates and prolongs application development<\/strong>&nbsp;and in case of incorrect implementation, vice versa&nbsp;<strong>may reduce the level of security<\/strong>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter is-resized\"><a href=\"https:\/\/docs.microsoft.com\/cs-cz\/azure\/security\/fundamentals\/encryption-models\"><img loading=\"lazy\" decoding=\"async\" width=\"1478\" height=\"584\" src=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/sad.png\" alt=\"Application and Resource Provider | ORBIT Cloud Encyclopedia\" class=\"wp-image-9854\" style=\"width:609px;height:auto\" srcset=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/sad.png 1478w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/sad-300x119.png 300w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/sad-1024x405.png 1024w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/sad-768x303.png 768w\" sizes=\"auto, (max-width: 1478px) 100vw, 1478px\" \/><\/a><figcaption class=\"wp-element-caption\">Encryption model (docs.microsoft.com)<\/figcaption><\/figure>\n<\/div>\n\n\n<h4 class=\"wp-block-heading\"><strong>Server-side encryption<\/strong><\/h4>\n\n\n\n<p>In the case of server-side encryption, encryption occurs within the data store (whether it is a virtual server, database, or other resource). From the application's point of view, nothing changes - the application works with unencrypted data and does not need to be interfered with in any way.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What about the encryption keys?<\/h3>\n\n\n\n<p>In all cases, i.e. when using client-side encryption, server-side encryption, but also when encrypting in transit, it is necessary to use encryption keys (i.e. passwords or certificates). The following applies:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>to store somewhere with restricted access.<\/li>\n\n\n\n<li>manage their life cycle.<\/li>\n\n\n\n<li>audit their use.<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter is-resized\"><a href=\"\/en\/\u00a0https:\/\/docs.aws.amazon.com\/kms\/latest\/developerguide\/concepts.html\/\"><img loading=\"lazy\" decoding=\"async\" width=\"1794\" height=\"602\" src=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasdsad.jpg\" alt=\"Encryption keys | Encryption keys and application secrets in the cloud | ORBIT Cloud Encyclopedia\" class=\"wp-image-9858\" style=\"width:529px;height:auto\" srcset=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasdsad.jpg 1794w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasdsad-300x101.jpg 300w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasdsad-1024x344.jpg 1024w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasdsad-768x258.jpg 768w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasdsad-1536x515.jpg 1536w\" sizes=\"auto, (max-width: 1794px) 100vw, 1794px\" \/><\/a><figcaption class=\"wp-element-caption\">Encryption keys (docs.aws.amazon.com)<\/figcaption><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\">Application secrets<\/h2>\n\n\n\n<p>The second area that should not be forgotten is&nbsp;<strong>managing and storing application secrets<\/strong>, e.g. various service passwords, connection strings, application certificates, etc.<\/p>\n\n\n\n<p>The goal is to separate application secrets from application code. Thus, in the application code&nbsp;<strong>no passwords or other secrets are to be stored<\/strong>.<strong>&nbsp;<\/strong>The meaning is clear: segregation of duty between development and password manager. The developer doesn't (and shouldn't) need to know the password to, for example, a database. The developer only needs to know who (or what service) to ask for the password.<\/p>\n\n\n\n<p>The second major advantage of separating passwords from the application to an external service is&nbsp;<strong>easy access audit<\/strong>&nbsp;to these secrets and the possibility&nbsp;<strong>automatic password rotation<\/strong>.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter is-resized\"><a href=\"https:\/\/aws.amazon.com\/blogs\/security\/how-to-securely-provide-database-credentials-to-lambda-functions-by-using-aws-secrets-manager\/\"><img loading=\"lazy\" decoding=\"async\" width=\"2232\" height=\"841\" src=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/1635845528136.png\" alt=\"Secure Database Example | ORBIT Cloud Encyclopedia \" class=\"wp-image-9860\" style=\"width:465px;height:auto\" srcset=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/1635845528136.png 2232w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/1635845528136-300x113.png 300w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/1635845528136-1024x386.png 1024w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/1635845528136-768x289.png 768w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/1635845528136-1536x579.png 1536w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/1635845528136-2048x772.png 2048w\" sizes=\"auto, (max-width: 2232px) 100vw, 2232px\" \/><\/a><figcaption class=\"wp-element-caption\">Lambda Functions by Using AWS Secrets Manager (aws.amazon.com)<\/figcaption><\/figure>\n<\/div>\n\n\n<p>What does it look like in practice? The application only implements&nbsp;<em>Software Development Kit<\/em>&nbsp;(SDK) some of the services for storing secrets, for example&nbsp;<a href=\"https:\/\/aws.amazon.com\/secrets-manager\/\" target=\"_blank\" rel=\"noopener\">AWS Secret Manager<\/a>. The following (simplified) example shows how an application can retrieve the database_password password from AWS Secret Manager:<\/p>\n\n\n<div class=\"wp-block-image wp-image-9862\">\n<figure class=\"aligncenter is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1878\" height=\"1150\" src=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dsa.jpg\" alt=\"Retrieving passwords from AWS Secret Manager | Cloud Encryption Keys and Application Secrets | ORBIT Cloud Encyclopedia\" class=\"wp-image-9862\" style=\"width:529px;height:auto\" srcset=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dsa.jpg 1878w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dsa-300x184.jpg 300w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dsa-1024x627.jpg 1024w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dsa-768x470.jpg 768w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dsa-1536x941.jpg 1536w\" sizes=\"auto, (max-width: 1878px) 100vw, 1878px\" \/><figcaption class=\"wp-element-caption\">Retrieving a password from AWS Secret Manager<\/figcaption><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\"><strong>Tools for encryption keys and application secrets in the cloud<\/strong><\/h2>\n\n\n\n<p>Both key public cloud environments, Amazon Web Services and Microsoft Azure, offer a comprehensive portfolio of services for working with keys and application secrets.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Amazon Web Services<\/h3>\n\n\n\n<p>In an AWS environment, we can use two key services. The service for working with encryption keys is&nbsp;<a href=\"https:\/\/aws.amazon.com\/kms\/\" target=\"_blank\" rel=\"noopener\">AWS Key Management Service (KMS)<\/a>, to work with application secrets then&nbsp;<a href=\"https:\/\/aws.amazon.com\/secrets-manager\/\" target=\"_blank\" rel=\"noopener\">AWS Secret Manager<\/a>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>AWS Key Management Service<\/strong><\/h4>\n\n\n\n<p>This service offers two basic encryption key distributions:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AWS managed keys<\/strong>: These are keys that are completely managed by AWS. You as a customer don't have to worry about their lifecycle or manipulate them in any way, you just use the keys to encrypt your data.<\/li>\n\n\n\n<li><strong>Customer managed keys<\/strong>A: You are in complete control of these keys. You are responsible for their generation and their entire life cycle.&nbsp;<em>Key material<\/em>&nbsp;to create the key can be KMS itself, you can&nbsp;<em>key material<\/em>&nbsp;import for example from your own HSM or you can use&nbsp;<a href=\"https:\/\/aws.amazon.com\/cloudhsm\/\" target=\"_blank\" rel=\"noopener\">AWS CloudHSM<\/a>.<\/li>\n<\/ul>\n\n\n\n<p>The higher the complexity of the encryption infrastructure, the more difficult it will be to manage and the higher the cost.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter is-resized\"><a href=\"https:\/\/aws.amazon.com\/blogs\/security\/demystifying-kms-keys-operations-bring-your-own-key-byok-custom-key-store-and-ciphertext-portability\/\"><img loading=\"lazy\" decoding=\"async\" width=\"1664\" height=\"944\" src=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasdsad-1.jpg\" alt=\"Cost and complexity of keys | ORBIT Cloud Encyclopedia\" class=\"wp-image-9864\" style=\"width:469px;height:auto\" srcset=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasdsad-1.jpg 1664w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasdsad-1-300x170.jpg 300w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasdsad-1-1024x581.jpg 1024w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasdsad-1-768x436.jpg 768w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasdsad-1-1536x871.jpg 1536w\" sizes=\"auto, (max-width: 1664px) 100vw, 1664px\" \/><\/a><figcaption class=\"wp-element-caption\">Cost &amp; Complexity of encryption keys management solutions (aws.amazon.com)<\/figcaption><\/figure>\n<\/div>\n\n\n<p>On the other hand, I think it is important to mention that even the most basic&nbsp;<em>customer managed key<\/em>&nbsp;generated directly in KMS (in the figure above it corresponds to Native KMS) meets the conditions for&nbsp;<strong><em>PCI DSS Level 1<\/em><\/strong>.<\/p>\n\n\n\n<p><em>Since security and quality controls in AWS KMS have been validated and certified to meet the requirements of PCI DSS Level 1 certification, you can directly encrypt Primary Account Number (PAN) data with an AWS KMS CMK. The use of a CMK to directly encrypt data removes some of the burden of managing encryption libraries. Additionally, a CMK can't be exported from AWS KMS, which alleviates the concern about the encryption key being stored in an insecure manner. As all KMS requests are logged in CloudTrail, use of the CMK can be audited by reviewing the CloudTrail logs.&nbsp;<\/em><\/p>\n\n\n\n<p>How does it look then in terms of encrypting individual resources, whether databases, virtual servers or other services? Once you have generated an encryption key (whether <em>AWS Managed<\/em> or <em>Customer Managed<\/em>), you can immediately use it to encrypt individual components - for example&nbsp;<em>EBS volume<\/em>.<\/p>\n\n\n<div class=\"wp-block-image wp-image-9866\">\n<figure class=\"aligncenter is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"2048\" height=\"857\" src=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/fdsfsf-scaled.jpg\" alt=\"KMS Key | ORBIT Cloud Encyclopedia\" class=\"wp-image-9866\" style=\"width:607px;height:auto\" srcset=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/fdsfsf-scaled.jpg 2048w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/fdsfsf-300x126.jpg 300w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/fdsfsf-1024x429.jpg 1024w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/fdsfsf-768x321.jpg 768w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/fdsfsf-1536x643.jpg 1536w\" sizes=\"auto, (max-width: 2048px) 100vw, 2048px\" \/><figcaption class=\"wp-element-caption\">KMS Key<\/figcaption><\/figure>\n<\/div>\n\n\n<p>It is certainly worth mentioning the fact that&nbsp;<strong>all resources in AWS are not encrypted by default<\/strong>y and the user must explicitly enable encryption. In contrast&nbsp;<strong>In Microsoft Azure, all resources are encrypted by default<\/strong>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>AWS Secret Manager<\/strong><\/h4>\n\n\n\n<p>As I have already hinted, Secret Manager is used to store application secrets - typically various passwords. Several native AWS services are supported by default, and of course you can store any type of secrets you want.<\/p>\n\n\n<div class=\"wp-block-image wp-image-9868\">\n<figure class=\"aligncenter is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"2048\" height=\"742\" src=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasd-scaled.jpg\" alt=\"AWS Secret Manager | ORBIT Cloud Encyclopedia\" class=\"wp-image-9868\" style=\"width:627px;height:auto\" srcset=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasd-scaled.jpg 2048w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasd-300x109.jpg 300w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasd-1024x371.jpg 1024w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasd-768x278.jpg 768w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasd-1536x557.jpg 1536w\" sizes=\"auto, (max-width: 2048px) 100vw, 2048px\" \/><figcaption class=\"wp-element-caption\">AWS Secret Manager<\/figcaption><\/figure>\n<\/div>\n\n\n<p>The great advantage of Secret Manager is the possibility to&nbsp;<strong>automatic rotation of individual passwords<\/strong>. However, this functionality requires a custom Lambda function that performs this rotation. This is not an out-of-the box functionality of Secret Manager.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1928\" height=\"1242\" src=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dsadasd.jpg\" alt=\"Automatic rotation of individual passwords in AWS Secret Manager | ORBIT Cloud Encyclopedia\" class=\"wp-image-9870\" style=\"width:683px;height:auto\" srcset=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dsadasd.jpg 1928w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dsadasd-300x193.jpg 300w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dsadasd-1024x660.jpg 1024w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dsadasd-768x495.jpg 768w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dsadasd-1536x989.jpg 1536w\" sizes=\"auto, (max-width: 1928px) 100vw, 1928px\" \/><\/figure>\n<\/div>\n\n\n<h3 class=\"wp-block-heading\">Microsoft Azure<\/h3>\n\n\n\n<p>There is only one service in Azure that is designed to handle both encryption keys and application secrets -&nbsp;<a href=\"https:\/\/azure.microsoft.com\/en-us\/services\/key-vault\/\" target=\"_blank\" rel=\"noopener\">Azure Key Vault<\/a>.<\/p>\n\n\n\n<p>Encryption is handled in a similar way to AWS - so you have the option of using either the so-called&nbsp;<em>platform-managed keys<\/em>&nbsp;(analogous to&nbsp;<em>AWS Managed Keys<\/em>), i.e. keys completely managed by Azure, or&nbsp;<em>customer-managed keys<\/em>, or a combination thereof.<\/p>\n\n\n<div class=\"wp-block-image wp-image-9872\">\n<figure class=\"aligncenter is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1836\" height=\"606\" src=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/asdsadasd.png\" alt=\"Azure Key Vault | Encryption Keys and Application Secrets in the Cloud | ORBIT Cloud Encyclopedia\" class=\"wp-image-9872\" style=\"width:541px;height:auto\" srcset=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/asdsadasd.png 1836w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/asdsadasd-300x99.png 300w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/asdsadasd-1024x338.png 1024w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/asdsadasd-768x253.png 768w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/asdsadasd-1536x507.png 1536w\" sizes=\"auto, (max-width: 1836px) 100vw, 1836px\" \/><figcaption class=\"wp-element-caption\">Azure Key Vault<\/figcaption><\/figure>\n<\/div>\n\n\n<p>The second part&nbsp;<em>Azure Key Vault<\/em>&nbsp;are the secrets themselves (analogous to&nbsp;<em>Secret Manager<\/em>), but there is no support for automatic password rotation.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1222\" height=\"1192\" src=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dsadasdada.png\" alt=\"Part 2 of Azure Key Vault | ORBIT Cloud Encyclopedia\" class=\"wp-image-9874\" style=\"width:557px;height:auto\" srcset=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dsadasdada.png 1222w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dsadasdada-300x293.png 300w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dsadasdada-1024x999.png 1024w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dsadasdada-768x749.png 768w\" sizes=\"auto, (max-width: 1222px) 100vw, 1222px\" \/><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\"><strong>Who I am, is just me, or the foundation of identity<\/strong><\/h2>\n\n\n\n<p>Now that we know how to store each application's secrets, the last step is: how to actually&nbsp;<strong>the application gains access to specific secrets<\/strong>? By virtue of your identity!<\/p>\n\n\n\n<p>There is never any \"access token\" to the&nbsp;<em>AWS Secret Manager<\/em>&nbsp;or&nbsp;<em>Azure Key Vault<\/em>&nbsp;(I'm not dealing with keys locked in the vault with another key), but the application (or the component where the application runs) has its identity assigned.<\/p>\n\n\n\n<p>So how to work with the application identity?<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Application Identity &amp; Amazon Web Services<\/h3>\n\n\n\n<p>AWS environment uses&nbsp;<em>Identity and Access Management<\/em>&nbsp;(IAM) role. Each component, whether it is a virtual server, a Lambda function, or a Kubernetes Pod, has&nbsp;<strong>assigned their role<\/strong>. Within this role, specific IAM policies are then defined, within which individual permissions are specified.<\/p>\n\n\n\n<p>The following example shows&nbsp;<em>IAM policy<\/em>which allows you to read two items stored in&nbsp;<em>Secret Manager<\/em>&nbsp;-&nbsp;<em>MySecret1<\/em>&nbsp;and&nbsp;<em>MySecret2<\/em>:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1826\" height=\"1022\" src=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/asdsadsad.png\" alt=\"IAM policy example | ORBIT Cloud Encyclopedia\" class=\"wp-image-9876\" style=\"width:717px;height:auto\" srcset=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/asdsadsad.png 1826w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/asdsadsad-300x168.png 300w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/asdsadsad-1024x573.png 1024w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/asdsadsad-768x430.png 768w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/asdsadsad-1536x860.png 1536w\" sizes=\"auto, (max-width: 1826px) 100vw, 1826px\" \/><\/figure>\n<\/div>\n\n\n<p>Then all that is left is to assign a specific IAM role to a specific resource.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1278\" height=\"486\" src=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/sadsad.png\" alt=\"\" class=\"wp-image-9878\" style=\"width:633px;height:auto\" srcset=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/sadsad.png 1278w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/sadsad-300x114.png 300w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/sadsad-1024x389.png 1024w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/sadsad-768x292.png 768w\" sizes=\"auto, (max-width: 1278px) 100vw, 1278px\" \/><\/figure>\n<\/div>\n\n\n<p>So in an AWS environment, it is&nbsp;<strong>application identity defined by the IAM role assigned to the application<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Application Identity &amp; Microsoft Azure<\/h3>\n\n\n\n<p>Here the situation is similar. The only difference is that identity management is used for&nbsp;<em>Azure Active Directory<\/em>. Each component (virtual server, App Service, Azure Function) has its own identity - either&nbsp;<em>system<\/em>&nbsp;or&nbsp;<em>user assigned<\/em>.<\/p>\n\n\n\n<p>So first we create&nbsp;<em>managed identity<\/em>&nbsp;for our application:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1620\" height=\"520\" src=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasdasd.png\" alt=\"| Where to go with encryption keys and how to work with application secrets in the cloud | ORBIT Cloud Encyclopedia\" class=\"wp-image-9880\" style=\"width:631px;height:auto\" srcset=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasdasd.png 1620w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasdasd-300x96.png 300w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasdasd-1024x329.png 1024w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasdasd-768x247.png 768w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasdasd-1536x493.png 1536w\" sizes=\"auto, (max-width: 1620px) 100vw, 1620px\" \/><\/figure>\n<\/div>\n\n\n<p>Once it is&nbsp;<em>managed identity<\/em>&nbsp;created, we can assign it to our application (or the resource within which the application runs) - in this case, for example, a virtual server:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1820\" height=\"714\" src=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasdas.png\" alt=\"Identity Assignment | Where to go with encryption keys and how to work with application secrets in the cloud | ORBIT Cloud Encyclopedia\" class=\"wp-image-9882\" style=\"width:627px;height:auto\" srcset=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasdas.png 1820w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasdas-300x118.png 300w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasdas-1024x402.png 1024w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasdas-768x301.png 768w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dasdas-1536x603.png 1536w\" sizes=\"auto, (max-width: 1820px) 100vw, 1820px\" \/><\/figure>\n<\/div>\n\n\n<p>Then all that's left to do is to set the standard rights (<em>access control<\/em>) in the required&nbsp;<em>Key Vault<\/em>:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1848\" height=\"532\" src=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dsadasd.png\" alt=\"Access control settings | Where to go with encryption keys and how to work with application secrets in the cloud | ORBIT Cloud Encyclopedia\" class=\"wp-image-9884\" style=\"width:621px;height:auto\" srcset=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dsadasd.png 1848w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dsadasd-300x86.png 300w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dsadasd-1024x295.png 1024w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dsadasd-768x221.png 768w, http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/12\/dsadasd-1536x442.png 1536w\" sizes=\"auto, (max-width: 1848px) 100vw, 1848px\" \/><\/figure>\n<\/div>\n\n\n<p>And that's it. The app has created its&nbsp;<em>managed identity<\/em>, which is assigned to the resource and&nbsp;<em>access control<\/em>&nbsp;this identity allows certain actions. So in Azure, the&nbsp;<strong>application identity defined by its&nbsp;<em>managed identity<\/em><\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>What to take away from this?<\/strong><\/h2>\n\n\n\n<p>Today we described the basic principles of working with encryption keys in individual cloud environments and showed how to extract passwords from our applications and store them securely in individual external services.<\/p>\n\n\n\n<p>Please remember that data encryption is one of the fundamental security pillars of working with data in the cloud. At the same time, I dare say that application secrets (whether passwords or other sensitive data) definitely do not belong in application code or configuration files and should be stored outside the application itself.<\/p>\n\n\n\n<p>And once again, I remind you <strong>in AWS, unlike Azure, data is not encrypted in any way!<\/strong><\/p>\n\n\n\n<p>If you were in the area <strong>needed any help<\/strong>, we will be happy to work with you as part of our services&nbsp;<a href=\"http:\/\/4.184.192.234\/en\/cloud-journey-sluzby\/#migrace\">Migrate applications to the cloud<\/a>&nbsp;We'll go over all aspects of proper data encryption in the cloud.<\/p>\n\n\n\n<p>And if you already have this area sorted out, I'd be happy for any comments on the topic. Do you use services like&nbsp;<em>Azure Key Vault<\/em>&nbsp;or&nbsp;<em>Secret Manager<\/em>&nbsp;or have you decided to go down the road of other solutions, such as&nbsp;<em>Vault by Hashicorp<\/em>? Do you import your own keys from your HSM or do you make do with keys generated by the cloud environment itself?<\/p>\n\n\n\n<p>If you enjoy our articles and find them interesting, be sure to check out the previous parts&nbsp;<a href=\"http:\/\/4.184.192.234\/en\/encyklopedie-cloudu\/\">Cloud Encyclopedia - A quick guide to the cloud<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"<p>Which tools can we use at work when it comes to encryption keys and application secrets in the cloud? Let's see what principles to honor.<\/p>","protected":false},"author":10,"featured_media":9530,"template":"","meta":{"_acf_changed":true,"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":""},"categories":[126,128],"class_list":["post-9842","encyklopedie-cloudu","type-encyklopedie-cloudu","status-publish","has-post-thumbnail","hentry","category-cloud-computing","category-cloud-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>\u0160ifrovac\u00ed kl\u00ed\u010de: kam s nimi a jak pracovat s aplika\u010dn\u00edmi tajnostmi? | ORBIT<\/title>\n<meta name=\"description\" content=\"Kter\u00e9 n\u00e1stroje m\u016f\u017eeme pou\u017e\u00edt p\u0159i pr\u00e1ci, kdy\u017e dojde na \u0161ifrovac\u00ed kl\u00ed\u010de a aplika\u010dn\u00ed tajnosti v cloudu? Uka\u017eme si, jak\u00e9 principy ct\u00edt.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"http:\/\/4.184.192.234\/en\/encyklopedie-cloudu\/sifrovaci-klice-kam-s-nimi-a-jak-pracovat-s-aplikacnimi-tajnostmi-v-cloudu\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\u0160ifrovac\u00ed kl\u00ed\u010de: kam s nimi a jak pracovat s aplika\u010dn\u00edmi tajnostmi v cloudu? | Encyklopedie cloudu ORBIT\" \/>\n<meta property=\"og:description\" content=\"Kter\u00e9 n\u00e1stroje m\u016f\u017eeme pou\u017e\u00edt p\u0159i pr\u00e1ci, kdy\u017e dojde na \u0161ifrovac\u00ed kl\u00ed\u010de a aplika\u010dn\u00ed tajnosti v cloudu? Uka\u017eme si, jak\u00e9 principy ct\u00edt.\" \/>\n<meta property=\"og:url\" content=\"http:\/\/4.184.192.234\/en\/encyklopedie-cloudu\/sifrovaci-klice-kam-s-nimi-a-jak-pracovat-s-aplikacnimi-tajnostmi-v-cloudu\/\" \/>\n<meta property=\"og:site_name\" content=\"ORBIT | create IT your own way\" \/>\n<meta property=\"article:modified_time\" content=\"2025-09-03T08:01:24+00:00\" \/>\n<meta property=\"og:image\" content=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2022\/01\/EC15-scaled.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2048\" \/>\n\t<meta property=\"og:image:height\" content=\"1072\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"\u0160ifrovac\u00ed kl\u00ed\u010de: kam s nimi a jak pracovat s aplika\u010dn\u00edmi tajnostmi v cloudu? | Encyklopedie cloudu ORBIT\" \/>\n<meta name=\"twitter:description\" content=\"Kter\u00e9 n\u00e1stroje m\u016f\u017eeme pou\u017e\u00edt p\u0159i pr\u00e1ci, kdy\u017e dojde na \u0161ifrovac\u00ed kl\u00ed\u010de a aplika\u010dn\u00ed tajnosti v cloudu? Uka\u017eme si, jak\u00e9 principy ct\u00edt.\" \/>\n<meta name=\"twitter:image\" content=\"http:\/\/4.184.192.234\/wp-content\/uploads\/2022\/01\/EC15-scaled.jpg\" \/>\n<meta name=\"twitter:label1\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"http:\\\/\\\/4.184.192.234\\\/encyklopedie-cloudu\\\/sifrovaci-klice-kam-s-nimi-a-jak-pracovat-s-aplikacnimi-tajnostmi-v-cloudu\\\/\",\"url\":\"http:\\\/\\\/4.184.192.234\\\/encyklopedie-cloudu\\\/sifrovaci-klice-kam-s-nimi-a-jak-pracovat-s-aplikacnimi-tajnostmi-v-cloudu\\\/\",\"name\":\"\u0160ifrovac\u00ed kl\u00ed\u010de: kam s nimi a jak pracovat s aplika\u010dn\u00edmi tajnostmi? | ORBIT\",\"isPartOf\":{\"@id\":\"http:\\\/\\\/4.184.192.234\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"http:\\\/\\\/4.184.192.234\\\/encyklopedie-cloudu\\\/sifrovaci-klice-kam-s-nimi-a-jak-pracovat-s-aplikacnimi-tajnostmi-v-cloudu\\\/#primaryimage\"},\"image\":{\"@id\":\"http:\\\/\\\/4.184.192.234\\\/encyklopedie-cloudu\\\/sifrovaci-klice-kam-s-nimi-a-jak-pracovat-s-aplikacnimi-tajnostmi-v-cloudu\\\/#primaryimage\"},\"thumbnailUrl\":\"http:\\\/\\\/4.184.192.234\\\/wp-content\\\/uploads\\\/2021\\\/11\\\/sifrovaci-klice-a-aplikacni-tajnosti-v-cloudu.png\",\"datePublished\":\"2021-11-02T11:00:32+00:00\",\"dateModified\":\"2025-09-03T08:01:24+00:00\",\"description\":\"Kter\u00e9 n\u00e1stroje m\u016f\u017eeme pou\u017e\u00edt p\u0159i pr\u00e1ci, kdy\u017e dojde na \u0161ifrovac\u00ed kl\u00ed\u010de a aplika\u010dn\u00ed tajnosti v cloudu? Uka\u017eme si, jak\u00e9 principy ct\u00edt.\",\"breadcrumb\":{\"@id\":\"http:\\\/\\\/4.184.192.234\\\/encyklopedie-cloudu\\\/sifrovaci-klice-kam-s-nimi-a-jak-pracovat-s-aplikacnimi-tajnostmi-v-cloudu\\\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"http:\\\/\\\/4.184.192.234\\\/encyklopedie-cloudu\\\/sifrovaci-klice-kam-s-nimi-a-jak-pracovat-s-aplikacnimi-tajnostmi-v-cloudu\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"http:\\\/\\\/4.184.192.234\\\/encyklopedie-cloudu\\\/sifrovaci-klice-kam-s-nimi-a-jak-pracovat-s-aplikacnimi-tajnostmi-v-cloudu\\\/#primaryimage\",\"url\":\"http:\\\/\\\/4.184.192.234\\\/wp-content\\\/uploads\\\/2021\\\/11\\\/sifrovaci-klice-a-aplikacni-tajnosti-v-cloudu.png\",\"contentUrl\":\"http:\\\/\\\/4.184.192.234\\\/wp-content\\\/uploads\\\/2021\\\/11\\\/sifrovaci-klice-a-aplikacni-tajnosti-v-cloudu.png\",\"width\":1120,\"height\":520,\"caption\":\"\u0160ifrovac\u00ed kl\u00ed\u010de: kam s nimi a jak pracovat s aplika\u010dn\u00edmi tajnostmi v cloudu? | Encyklopedie cloudu ORBIT\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"http:\\\/\\\/4.184.192.234\\\/encyklopedie-cloudu\\\/sifrovaci-klice-kam-s-nimi-a-jak-pracovat-s-aplikacnimi-tajnostmi-v-cloudu\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"http:\\\/\\\/4.184.192.234\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\u0160ifrovac\u00ed kl\u00ed\u010de: kam s&nbsp;nimi a&nbsp;jak pracovat s&nbsp;aplika\u010dn\u00edmi tajnostmi v&nbsp;cloudu?\"}]},{\"@type\":\"WebSite\",\"@id\":\"http:\\\/\\\/4.184.192.234\\\/#website\",\"url\":\"http:\\\/\\\/4.184.192.234\\\/\",\"name\":\"ORBIT | create IT your own way\",\"description\":\"ORBIT | create IT your own way\",\"publisher\":{\"@id\":\"http:\\\/\\\/4.184.192.234\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\\\/\\\/4.184.192.234\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Organization\",\"@id\":\"http:\\\/\\\/4.184.192.234\\\/#organization\",\"name\":\"ORBIT s.r.o.\",\"url\":\"http:\\\/\\\/4.184.192.234\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"http:\\\/\\\/4.184.192.234\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"http:\\\/\\\/4.184.192.234\\\/wp-content\\\/uploads\\\/2020\\\/11\\\/logoslogan-01.png\",\"contentUrl\":\"http:\\\/\\\/4.184.192.234\\\/wp-content\\\/uploads\\\/2020\\\/11\\\/logoslogan-01.png\",\"width\":1417,\"height\":829,\"caption\":\"ORBIT s.r.o.\"},\"image\":{\"@id\":\"http:\\\/\\\/4.184.192.234\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.linkedin.com\\\/company\\\/orbit\\\/\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Encryption keys: where to go with them and how to work with application secrets | ORBIT","description":"Which tools can we use at work when it comes to encryption keys and application secrets in the cloud? Let's see what principles to honor.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"http:\/\/4.184.192.234\/en\/encyklopedie-cloudu\/sifrovaci-klice-kam-s-nimi-a-jak-pracovat-s-aplikacnimi-tajnostmi-v-cloudu\/","og_locale":"en_GB","og_type":"article","og_title":"\u0160ifrovac\u00ed kl\u00ed\u010de: kam s nimi a jak pracovat s aplika\u010dn\u00edmi tajnostmi v cloudu? | Encyklopedie cloudu ORBIT","og_description":"Kter\u00e9 n\u00e1stroje m\u016f\u017eeme pou\u017e\u00edt p\u0159i pr\u00e1ci, kdy\u017e dojde na \u0161ifrovac\u00ed kl\u00ed\u010de a aplika\u010dn\u00ed tajnosti v cloudu? Uka\u017eme si, jak\u00e9 principy ct\u00edt.","og_url":"http:\/\/4.184.192.234\/en\/encyklopedie-cloudu\/sifrovaci-klice-kam-s-nimi-a-jak-pracovat-s-aplikacnimi-tajnostmi-v-cloudu\/","og_site_name":"ORBIT | create IT your own way","article_modified_time":"2025-09-03T08:01:24+00:00","og_image":[{"width":2048,"height":1072,"url":"http:\/\/4.184.192.234\/wp-content\/uploads\/2022\/01\/EC15-scaled.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_title":"\u0160ifrovac\u00ed kl\u00ed\u010de: kam s nimi a jak pracovat s aplika\u010dn\u00edmi tajnostmi v cloudu? | Encyklopedie cloudu ORBIT","twitter_description":"Kter\u00e9 n\u00e1stroje m\u016f\u017eeme pou\u017e\u00edt p\u0159i pr\u00e1ci, kdy\u017e dojde na \u0161ifrovac\u00ed kl\u00ed\u010de a aplika\u010dn\u00ed tajnosti v cloudu? Uka\u017eme si, jak\u00e9 principy ct\u00edt.","twitter_image":"http:\/\/4.184.192.234\/wp-content\/uploads\/2022\/01\/EC15-scaled.jpg","twitter_misc":{"Estimated reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"http:\/\/4.184.192.234\/encyklopedie-cloudu\/sifrovaci-klice-kam-s-nimi-a-jak-pracovat-s-aplikacnimi-tajnostmi-v-cloudu\/","url":"http:\/\/4.184.192.234\/encyklopedie-cloudu\/sifrovaci-klice-kam-s-nimi-a-jak-pracovat-s-aplikacnimi-tajnostmi-v-cloudu\/","name":"Encryption keys: where to go with them and how to work with application secrets | ORBIT","isPartOf":{"@id":"http:\/\/4.184.192.234\/#website"},"primaryImageOfPage":{"@id":"http:\/\/4.184.192.234\/encyklopedie-cloudu\/sifrovaci-klice-kam-s-nimi-a-jak-pracovat-s-aplikacnimi-tajnostmi-v-cloudu\/#primaryimage"},"image":{"@id":"http:\/\/4.184.192.234\/encyklopedie-cloudu\/sifrovaci-klice-kam-s-nimi-a-jak-pracovat-s-aplikacnimi-tajnostmi-v-cloudu\/#primaryimage"},"thumbnailUrl":"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/11\/sifrovaci-klice-a-aplikacni-tajnosti-v-cloudu.png","datePublished":"2021-11-02T11:00:32+00:00","dateModified":"2025-09-03T08:01:24+00:00","description":"Which tools can we use at work when it comes to encryption keys and application secrets in the cloud? Let's see what principles to honor.","breadcrumb":{"@id":"http:\/\/4.184.192.234\/encyklopedie-cloudu\/sifrovaci-klice-kam-s-nimi-a-jak-pracovat-s-aplikacnimi-tajnostmi-v-cloudu\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["http:\/\/4.184.192.234\/encyklopedie-cloudu\/sifrovaci-klice-kam-s-nimi-a-jak-pracovat-s-aplikacnimi-tajnostmi-v-cloudu\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"http:\/\/4.184.192.234\/encyklopedie-cloudu\/sifrovaci-klice-kam-s-nimi-a-jak-pracovat-s-aplikacnimi-tajnostmi-v-cloudu\/#primaryimage","url":"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/11\/sifrovaci-klice-a-aplikacni-tajnosti-v-cloudu.png","contentUrl":"http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/11\/sifrovaci-klice-a-aplikacni-tajnosti-v-cloudu.png","width":1120,"height":520,"caption":"\u0160ifrovac\u00ed kl\u00ed\u010de: kam s nimi a jak pracovat s aplika\u010dn\u00edmi tajnostmi v cloudu? | Encyklopedie cloudu ORBIT"},{"@type":"BreadcrumbList","@id":"http:\/\/4.184.192.234\/encyklopedie-cloudu\/sifrovaci-klice-kam-s-nimi-a-jak-pracovat-s-aplikacnimi-tajnostmi-v-cloudu\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"http:\/\/4.184.192.234\/"},{"@type":"ListItem","position":2,"name":"\u0160ifrovac\u00ed kl\u00ed\u010de: kam s&nbsp;nimi a&nbsp;jak pracovat s&nbsp;aplika\u010dn\u00edmi tajnostmi v&nbsp;cloudu?"}]},{"@type":"WebSite","@id":"http:\/\/4.184.192.234\/#website","url":"http:\/\/4.184.192.234\/","name":"ORBIT | create IT your own way","description":"ORBIT | create IT your own way","publisher":{"@id":"http:\/\/4.184.192.234\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/4.184.192.234\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"http:\/\/4.184.192.234\/#organization","name":"ORBIT s.r.o.","url":"http:\/\/4.184.192.234\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"http:\/\/4.184.192.234\/#\/schema\/logo\/image\/","url":"http:\/\/4.184.192.234\/wp-content\/uploads\/2020\/11\/logoslogan-01.png","contentUrl":"http:\/\/4.184.192.234\/wp-content\/uploads\/2020\/11\/logoslogan-01.png","width":1417,"height":829,"caption":"ORBIT s.r.o."},"image":{"@id":"http:\/\/4.184.192.234\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.linkedin.com\/company\/orbit\/"]}]}},"taxonomy_info":{"category":[{"value":126,"label":"Cloud computing"},{"value":128,"label":"Cloud security"}]},"featured_image_src_large":["http:\/\/4.184.192.234\/wp-content\/uploads\/2021\/11\/sifrovaci-klice-a-aplikacni-tajnosti-v-cloudu-1024x475.png",1024,475,true],"author_info":{"display_name":"Martin Gavanda","author_link":"http:\/\/4.184.192.234\/en\/author\/e2d35802bbda7175\/"},"comment_info":"","_links":{"self":[{"href":"http:\/\/4.184.192.234\/en\/wp-json\/wp\/v2\/encyklopedie-cloudu\/9842","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/4.184.192.234\/en\/wp-json\/wp\/v2\/encyklopedie-cloudu"}],"about":[{"href":"http:\/\/4.184.192.234\/en\/wp-json\/wp\/v2\/types\/encyklopedie-cloudu"}],"author":[{"embeddable":true,"href":"http:\/\/4.184.192.234\/en\/wp-json\/wp\/v2\/users\/10"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/4.184.192.234\/en\/wp-json\/wp\/v2\/media\/9530"}],"wp:attachment":[{"href":"http:\/\/4.184.192.234\/en\/wp-json\/wp\/v2\/media?parent=9842"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/4.184.192.234\/en\/wp-json\/wp\/v2\/categories?post=9842"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}