scaleway · enzzc · Aug 28, 2024 · Aug 29, 2024 · Oct 3, 2024 · Oct 3, 2024
diff --git a/...anager/reference-content/differences-between-secret-manager-and-key-manager.mdx b/...anager/reference-content/differences-between-secret-manager-and-key-manager.mdx
@@ -0,0 +1,84 @@
+---
+meta:
+  title: What is the difference between Key Manager and Secret Manager?
+  description: Learn the differences between Key Manager and Secret Manager and which one to use according to your needs
+content:
+  h1: What is the difference between Key Manager and Secret Manager?
+  paragraph: Learn the differences between Key Manager and Secret Manager and which one to use according to your needs
+tags: key-manager secret-manager security
+dates:
+  validation: 2024-08-28
+---
+
+
+
+Secret Manager and Key Manager are both security-focused products aiming
+to help you protect your data and improve the security of your
+infrastructure.
+The difference between them is not always clear, and you may be
+unsure which one is most appropriate for your use-case.
+
+This document helps you answer that question.
+
+
+## Secret Manager
+
+Secret Manager stores various secrets that your applications needs to
+access at some point. For example, when your application needs to call
+an external API service or connect to a database, it fetches the API token
+or the credentials from the Secret Manager before proceeding.
+
+Secrets can be largely anything you want: API tokens,
+credentials to connect to a database or simply sensitive data.
+There are no limits, other than to the size of the secrets.
+
+
+## Key Manager
+
+In contrast, Key Manager only stores cryptographic keys.
+
+At first, the Key Manager may seem to be just a limited version of
+the Secret Manager, for keys only.
+It is indeed true that the Secret Manager could also store cryptographic keys
+and hand them over to applications that need to perform cryptographic operations.
+
+However, this approach is full of pitfalls and can lead to serious security problems:
+
+ - Inadvertently storing the keys in plaintext, or exposing them (e.g. in logs)
+ - Incorrect (re-)use of key: your application would be responsible for using the key correctly,
+   which is harder than it first seems.
+ - Not disposing of the key properly after use (e.g. letting it reside in swap disk)
+
+These are typical key management problems, which are not effectively solved by Secret Manager
+, hence the need for Key Manager.
+
+Key Manager does **not** simply give you any requested key.
+All keys residing in Key Manager never (and never will) leave Key Manager, since
+there is no way to extract them by design.
+
+Since you cannot have the key, Key Manager performs the cryptographic operations
+for you: your application supplies the plaintext to be encrypted, or
+the ciphertext to be decrypted. That means your application is no longer
+responsible for managing the keys and using them properly: Key Manager takes care of this.
+
+Last, but not least, Key Manager provides another way of authorizing certain actions.
+You might want to authorize some principals only to encrypt data, and others
+only to decrypt data.
+
+For example, imagine an application that receives
+sensitive health data that needs to be encrypted before being inserted into
+a database. Such an application would be able to ask the Key Manager
+to carry out encryption operations, but not decryption operations, so it cannot read the sensitive
+data already stored.
+
+This is not possible to achieve with Secret Manager, since both writing and reading
+applications would need at least the privilege of reading the key from the Secret Manager,
+which is sufficient to both encrypt and decrypt the data.
+
+
+## Conclusion
+
+Cryptographic keys are secrets that need special care, and Key Manager
+is an effective tool to help you manage them securely,
+allowing your application to offload all sensitive cryptographic
+operations and keep keys out-of-band for extra security.