馃敟 Missed the Bindplane Launch Week? Get caught up on everything we announced! 馃敟Explore now

Secrets Management

Manage Secrets with Bindplane

Managing sensitive information securely is critical when deploying monitoring solutions. Bindplane provides several approaches to help you protect credentials and other secrets used in your OpenTelemetry configurations. This guide outlines the available options and best practices for securing your sensitive data.

important

Bindplane SaaS automatically encrypts all Library Resources, Configurations, Snapshot Recordings, and Agent State information using Envelope Encryption, regardless of whether they contain sensitive data.

For self-hosted Bindplane deployments, encryption is not enabled by default. To enable encryption of sensitive data, you must configure your instance to integrate with Google KMS. Directions for this can be found here. Customers must be using Postgres to enable this option. Encryption is not supported when using Boltstore, which is being deprecated.

Available Methods

Bindplane offers multiple approaches to secure your secrets, with more options being developed:

MethodStatusDescriptionBindplane Access
Environment VariablesAvailableReference environment variables in ConfigurationsNo Access
Envelope EncryptionAvailableUse a managed KEK (Key Encryption Key) and an encrypted DEK (Data Encryption Key) to protect secretsLimited Access *

note

  • When using Envelope Encryption, the Bindplane Platform will need to decrypt the secret before transmitting the configuration to the selected Agents. AES encryption can be used to symmetrically encrypt the secret before transmission using the AES provider.

note

When using Environment Variables, the Bindplane Platform does not access any secrets in the configuration. Only the Agent will have access.

Choosing the Right Approach

The right secrets management approach depends on your security requirements, operational constraints, and existing infrastructure:

Environment Variables

Best for: Organizations with established environment management practices or simpler deployments. Kubernetes based deployments with integrated KMS in a Kubernetes cluster.

Benefits

  • Secrets never leave customer premises
  • Secrets are not in the collector pipeline YAML
  • Works Out of the Box in SaaS or in a self-hosted deployment

Drawbacks

  • More complex to manage at scale

Envelope Encryption

Best for: Organizations requiring enhanced security while maintaining operational simplicity.

Benefits

  • Works out of the box in Bindplane SaaS
  • Securely stores secrets in all Library Resources, Configurations, and Snapshot Recordings.
  • Supports end-to-end encryption through integration with the AES Provider for enhanced security during configuration transmission

Drawbacks

  • Requires configuration to work in a self-hosted scenario.
  • Pipeline YAML in Collector will still contain secret values if AES Provider is not used.

Getting Started

Explore our detailed guides for each method: