Key Manager¶
The Key Manager tab is the project-level secrets and certificate store. Used by VMs, load balancers, ingress, and your applications to fetch TLS certificates, KMS keys, SSH keys, and arbitrary secrets without baking them into images.
Overview¶
Key Manager sub-tabs: Secrets · Certificates · KMS Keys · SSH keys.
Four sub-tabs:
| Sub-tab | What lives here |
|---|---|
| Secrets | Arbitrary string / blob secrets — DB passwords, API keys, third-party tokens |
| Certificates | TLS certificates (self-signed, BYO, or auto-managed) for LBs and ingresses |
| KMS Keys | AES-256 / RSA keys for envelope encryption — used by Object Storage SSE-C and Block Storage BYOK |
| SSH Keys | Public SSH keys you'll inject into VMs at create time |
Underlying engine: a managed OpenBao deployment per organization, with project-scoped paths.
Administration¶
Quotas¶
Project Settings → Quota → Key Manager:
- Secrets per project (default 1,000)
- Certificates per project (default 100)
- KMS keys per project (default 50)
- SSH keys per project (default 100)
Audit¶
Every secret read, certificate fetch, and key use is logged with caller identity, source IP, and outcome. Push to SIEM or export to your Object Storage bucket.
Auto-rotation¶
For secrets:
- Static — never rotated automatically (your responsibility)
- Database secrets (via OpenBao DB engine) — short-lived credentials (5 min – 24 h) generated on demand
- PKI (certificates) — auto-renewal at 75% of validity period
Operation¶
Secrets¶
Creating¶
Secrets → + New Secret:
- Path — your namespace, e.g.
prod/db/postgresorapps/payroll/api-key - Type —
static(KV v2) /database-creds/aws-creds/ etc. - Value — the secret payload (encrypted in transit and at rest)
- Tags
- TTL — optional expiry
Reading¶
The console lets you reveal a secret value with a confirmation gate (audit-logged). Most workloads don't need the console — they read via the API:
bash curl -H "X-Cd-Token: $CD_API_TOKEN" \ https://api.bd-dha-1.clouddigit.ai/v1/keymanager/secrets/prod/db/postgres
Or via the OpenBao-compatible CLI:
bash export VAULT_ADDR=https://keymanager.bd-dha-1.clouddigit.ai export VAULT_TOKEN=$CD_API_TOKEN vault kv get prod/db/postgres
Versioning¶
Static secrets are versioned by default — each update creates a new version. You can read a specific version, roll back, or destroy older versions.
Certificates¶
Importing an existing cert¶
Certificates → + Import — paste the PEM cert + private key + chain. Used when you have an external CA you must use.
Issuing via Cloud Digit-managed CA¶
Certificates → + Issue — enter a CN (e.g. app.example.com) and SANs. The cert auto-renews at 75% of validity. Useful for internal services.
Public-facing cert (Let's Encrypt-style)¶
Certificates → + Public ACME — domain validation via DNS challenge (Cloud Digit DNS-managed zones) or HTTP challenge (via your LB). Auto-renew. The same flow Cloud Digit's Load Balancer uses for managed-cert mode.
Attaching¶
Cert detail → Attach to — picks a Load Balancer listener, ingress, or service-mesh listener.
KMS Keys¶
Creating¶
KMS Keys → + New Key:
- Type — AES-256 (symmetric) / RSA-2048 / RSA-4096 / EC-P256 / EC-P384
- Usage — encrypt-decrypt / sign-verify
- Rotation — annual auto / manual / never
Use cases¶
- Object Storage SSE-C — point a bucket's default encryption at a KMS key here
- Block Storage BYOK (preview) — same idea for boot/data volumes
- Application-level encryption — call the KMS API to encrypt small blobs (≤ 4 KiB) without exposing raw key material
```python
Application-level encrypt via the KMS API¶
import requests ct = requests.post( "https://api.bd-dha-1.clouddigit.ai/v1/keymanager/kms/keys/
SSH Keys¶
Adding¶
SSH Keys → + Add:
- Name
- Public key — paste OpenSSH format
- Comment — for audit (e.g. "alice's macbook 2026")
Using at VM create time¶
The Server Create wizard includes an SSH key dropdown — pick the keys you want injected into ~/.ssh/authorized_keys of the default user.
Rotating¶
You can't edit a key in place; add a new one, rotate it onto VMs (cloud-init or a config-management run), and remove the old.
Troubleshooting¶
| Symptom | Likely cause | Fix |
|---|---|---|
Secret read returns 403 | The caller's API token doesn't have keymanager:secrets:read for this path | Update the token's permissions; or use a downscoped service-account token |
| Certificate auto-renew failed | DNS / HTTP challenge couldn't validate | Cert detail → Renewal log; common causes: DNS TXT record missing or stale, HTTP-01 endpoint unreachable |
KMS encrypt API: 429 Too Many Requests | High volume of small encrypts | Switch to envelope encryption — encrypt data with a local AES key, encrypt that AES key with KMS once |
| SSH key listed in console but not in VM | Key wasn't in the create wizard, or cloud-init was disabled in the image | Confirm the image has cloud-init; or push the key via your config-management |
| Secret version restored but apps still see old | Apps cache the previous secret value | Restart the apps; or implement the OpenBao "renew on near-expiry" pattern |
| Certificate attached to LB but browser shows old | LB caches certs; takes ≤ 30 s to propagate | Wait 30 s; if still stale, force a refresh by detaching + re-attaching |
Pricing¶
Key Manager is metered:
- Secrets — per 100 secrets-month
- Certificate management — per certificate-month + per ACME issuance
- KMS — per key-month + per million encrypt/decrypt operations
- SSH keys — free
See Pricing model.
Related¶
- Secrets Management (OpenBao) — full underlying service docs
- Object Storage — uses KMS keys for encryption
- Networking → Load Balancer — uses certificates
- Servers — uses SSH keys at create time
- SIEM — receives Key Manager audit events