I have been using KVM store for easy access to some credentials used. I wanted to check if using KVM suffice to the requirement of keeping the values secure.
Is KVM maps encrypted by default if no parameter is passed in the management api call during creation ?
How can we compare Secret Manager and KVM Store in terms of security in an Apigee proxy’s perspective ?
Is it possible by any method other than a KVM policy to read the values in KVM ?
Happy New Year.
Choice depends on specific security requirements and the sensitivity of the data you need to store, access control, auditing, rotation policies. Speak to your security office for better guidance & may be follow your standard api security guidance.
As per documentation it states these are encrypted..
https://cloud.google.com/apigee/docs/api-platform/cache/key-value-maps#aboutencrypted
There will be slight differences as apigee KVM uses cloud KMS so there may be slight difference of encryption algorithm specific to apigee when compared with secrets manager, Access Controls, Auditing, rotation. But it dependens
via api’s..
https://cloud.google.com/apigee/docs/api-platform/cache/key-value-maps#api
Happy new year.
Do we have any insight into how susceptible Apigee KVM is to an attack compared to Secret Manager. I would like to know why someone should select Secret Manager over KVM store to store secrets used in Apigee. I know that Secret Manager allows key rotation and access control by permissions or roles. But, will there be any reason to use Secret manager if a static value is being stored and no other system needs to read the value.
The APIs does not allow to read KVM value but to delete, or create. Please correct me if I am wrong.