You are browsing documentation for an outdated version. See the latest documentation here.

Securing sensitive data

With decK, you can manage sensitive values such as credentials or certificates using one of the following options:

Option	Description	Why use this method?
decK environment variables	Store values as environment variables and access them directly through decK.	• You can use this option for environment-specific values. • This method can store any configuration values used by Kong Gateway entities. • Available for all Kong Gateway packages: open-source, Enterprise Free mode, and Enterprise licensed mode.
Secrets in Kong Gateway	Store values as secrets in a vault, then reference the secrets with a vault reference. In this case, the Kong Gateway data plane manages the secrets with a vaults entity. The environment variable vault can be used in Free mode without a license, while all other vault backends require a license.	• Is a secure way to manage sensitive information in one of the following vaults: AWS, GCP, HashiCorp Vault, or environment variables. • You can use secrets to store many sensitive values, including parameters in Kong’s configuration (kong.conf). See Secrets Management in Kong Gateway for a full list. • Secrets management is only available for Kong Gateway Enterprise packages. It is not available for open-source Kong Gateway.