Creating an encryption key to store secrets

Many applications interact with one or more external resources. These resources have their own security, and store the credentials for access in a secure way is critical to the safety of the data they can access.

In the case that security store is advanced enough to understand Authress client authentication, it’s easy to follow the guide to create client credentials.

However, not every application and cloud provider has hooks to verify the caller permissions and identity. In these other cases, it’s possible to use a cloud provider’s secret storage solution. Here’s a simple way to store unlimited number of secrets, without making unnecessary API calls.


  1. In the case of using AWS KMS, create a KMS key and alias. Make sure to give your application access to encrypt and decrypt data with the KMS key.
  2. Add the following encryption manager, and call generateKeys() to generate the cipher your service will use for all data.
  3. At run time use the encryption manager, and read and write the encrypted data to your datastore.


Didn't find what you were looking for?

Or send us an email at