Main Content

Handle Sensitive Information in Deployed Applications

Since R2024a

You can increase the security of your application code by storing sensitive information, such as passwords, as secrets in your MATLAB® vault.

When you set a secret value in MATLAB, it is stored in your local MATLAB vault. The MATLAB vault provides encrypted and persistent storage for secrets. Your vault and secrets persist across MATLAB sessions. You can store secrets in your MATLAB vault using the setSecret (MATLAB) function and list currently stored secrets using listSecrets (MATLAB).

A secret can be any sensitive information that you would like to store securely in an encrypted form. Each secret consists of a name, value, and optional metadata.

  • Secret name — A unique case-sensitive text identifier for the secret. The secret name is stored unencrypted in your vault as a string scalar.

  • Secret value — A text value associated with the secret. The Secret Prompt dialog box, where you enter the secret value, supports copy-paste functionality. The secret value is stored encrypted in your vault using industry standard AES-256 encryption. The secret value is returned as a string scalar.

  • Secret metadata — A dictionary containing additional information associated with the secret. Metadata can aid in the identification, usage, and lifecycle management of the secret. The optional secret metadata is stored unencrypted in your vault.

For example, this secret contains the following database credentials:

  • Secret name — "databasePassword"

  • Secret value — "CpyA/&qRFzB2$X*jf"

  • Secret metadata — dictionary (string ⟼ cell) with 3 entries:

    "databaseName"{["productionDB"]}

    "host" {["db.example.com"]}

    "port"{["5432"]}

For more information on secrets and the MATLAB vault, see Keep Sensitive Information Out of Code (MATLAB).

Package Code with Secrets

If the MATLAB code you want to deploy handles sensitive information, you can use the getSecret (MATLAB) function in your application code to retrieve a secret value, which is decrypted at run time.

These functions that manage secrets are deployable:

  • getSecret (MATLAB) – Retrieve a secret from your vault.

  • getSecretMetadata (MATLAB) – Retrieve metadata of a secret in your vault.

  • isSecret (MATLAB) – Determine if a secret exists in your vault.

All other secret management functions, including setSecret, are not deployable.

Package Secrets in Deployable Archive

You can use the functionality provided by the MATLAB vault in standalone applications by including secrets in the deployable archive.

To package secrets with a standalone application, you specify the secret names in a secrets manifest JSON file using the mcc -J (MATLAB Compiler) option. You can also use the -J flag in the Additional Runtime Settings area of the compiler apps.

You can specify a secrets manifest file with a compiler.build function using the SecretsManifest option. (since R2024b)

For MATLAB Compiler™ to retrieve secrets from your local MATLAB vault and embed them in the deployable code archive at compile time, you must call setSecret in MATLAB to store each secret in your vault before you package your code.

For an example on creating a standalone application that uses secrets, see Access Sensitive Information in Standalone Application (MATLAB Compiler).

Store Secret Values as Environment Variables

As an alternative to packaging secrets within the archive, you can store secret values in environment variables on the target platform. For instance, if your deployed code runs in a container, you can set the environment variables when you create the container instance. Access secrets stored in environment variables using the getSecret (MATLAB) function, specifying the environment variable name as the secret name.

In the instance where a secret stored in your vault shares a name with an environment variable, getSecret retrieves the value of the environment variable.

Access Secrets on MATLAB Web App Server

On MATLAB Web App Server™, secrets are stored in the server vault. To retrieve and use secrets in a web application, call the getSecret (MATLAB) function in the application code.

The Web App Server administrator can add, remove, or modify secrets stored in the server vault. To manage secrets on MATLAB Web App Server, the administrator can use one of these options:

Note

Security Considerations: On MATLAB Web App Server, the vault file is configured by the Web App Server administrator, who has read and write permissions. Web app worker processes do not have access to this file. Server processes have read permission.

The MATLAB Web App Server also provides functionality to define attribute-based access control rules. These rules enable authenticated individuals to retrieve secrets from the server vault.

By activating policy-based access to secrets on the server, the server administrator can tailor secret access configurations for individual users. This feature is useful for managing secrets across various applications and their respective user bases. It allows web apps to access secret values at run time, for instance, to retrieve unique credentials on a per-user basis.

For information about secrets access control, see Control Secrets Access in MATLAB Web App Server.

See Also

(MATLAB) | (MATLAB) | (MATLAB) |

Related Topics