Securing sensitive data
With decK, you can manage sensitive values such as credentials or certificates using one of the following options:
Option | Description | Why use this method? |
---|---|---|
decK environment variables | Store values as environment variables and access them directly through decK. | • You can use this option for environment-specific values. • This method can store any configuration values used by Kong Gateway entities. • Available for all Kong Gateway packages: open-source, Enterprise Free mode, and Enterprise licensed mode. |
Secrets in Kong Gateway | Store values as secrets in a vault, then reference the secrets with a vault reference. In this case, the Kong Gateway data plane manages the secrets with a vaults entity. The environment variable vault can be used in Free mode without a license, while all other vault backends require a license. |
• Is a secure way to manage sensitive information in one of the following vaults: AWS, GCP, HashiCorp Vault, or environment variables. • You can use secrets to store many sensitive values, including parameters in Kong’s configuration ( kong.conf ). See Secrets Management in Kong Gateway for a full list. • Secrets management is only available for Kong Gateway Enterprise packages. It is not available for open-source Kong Gateway. |