```{contents}
```
## Secrets Management 


**Secrets management** is the practice of **securely storing, accessing, rotating, and auditing sensitive information**, such as:

* API keys
* Database credentials
* Tokens
* Encryption keys

The goal is to **never hard-code secrets** and never expose them in logs, code, or client-side systems.

---

### Where It Fits in the Architecture

```
Application Code
     ↓
Secrets Manager ── provides secrets securely
     ↓
External Services / Databases / APIs
```

---

### Why Secrets Management Matters

| Risk               | Impact           |
| ------------------ | ---------------- |
| Hard-coded secrets | Security breach  |
| Leaked credentials | Data compromise  |
| Manual rotation    | Human error      |
| No auditing        | Undetected abuse |

---

### Environment Variable-Based Secrets

#### Demonstration

**Set secret**

```bash
export OPENAI_API_KEY="sk-xxxx"
```

**Use in code**

```python
import os

api_key = os.getenv("OPENAI_API_KEY")
```

---

### Encrypted Secrets File

#### Demonstration

```python
from cryptography.fernet import Fernet

key = Fernet.generate_key()
cipher = Fernet(key)

encrypted = cipher.encrypt(b"db_password")
```

---

### Secrets Rotation

#### Demonstration

```python
def rotate_secret(new_value):
    secrets_store["API_KEY"] = new_value
```

---

### Production Secrets Manager (Concept)

```python
def get_secret(name):
    return vault.read(name)
```

---

### Protection Against Leaks

```python
def safe_log(message):
    for secret in secrets_store.values():
        message = message.replace(secret, "***")
    print(message)
```

---

### Mental Model

```
Secrets Management = Lockbox for your system
```

---

### Key Takeaways

* Never commit secrets into source code
* Always use secure storage and environment isolation
* Rotate secrets regularly
* Essential for production security
