Illustration of a key file

How to manage .pem, .crt, and other key files

This guide will explain how to deal with files that are completely secret, like .pem, .crt, and other key files. For files that are partially secret, checkout the config file guide.

This guide will show how to deal with TLS certificate keys, but the same principles can be applied to other secret files as well.

Before you begin

Before you start using SecretHub with key files, make sure you have completed the following steps:

  1. Set up SecretHub on your workstation.

Step 1: Store the file on SecretHub

SecretHub can hold any type of value (they’re just bytes). To write the contents of a file to SecretHub, use write:

secrethub write --in-file <path to file> <path on SecretHub>

For example, to store the contents of the file at the your-company/tls/ path on SecretHub:

secrethub write --in-file your-company/tls/

Step 2: Retrieve the file from SecretHub

To write the contents of a secret back to a file, use read:

secrethub read --out-file <path to file> <path on SecretHub>

For example, to write the contents stored at your-company/tls/ on SecretHub to the file:

secrethub read --out-file /etc/pki/tls/private/ your-company/tls/

See also