How to manage .pem, .crt, and other key files

This guide will explain how to deal with files that are completely secret, like .pem, .crt, and other key files. For files that are partially secret, checkout the config file guide.

This guide will show how to deal with TLS certificate keys, but the same principles can be applied to other secret files as well.

Before you begin

Before you start using SecretHub with key files, make sure you have completed the following steps:

1. Install the SecretHub CLI for your OS.
2. Sign up for a SecretHub account.

Step 1: Store the file on SecretHub

SecretHub can hold any type of value (they’re just bytes). To write the contents of a file to SecretHub, use write:

secrethub write --in-file <path to file> <path on SecretHub>

For example, to store the contents of the example.com.key file at the your-company/tls/example.com/key path on SecretHub:

secrethub write --in-file example.com.key your-company/tls/example.com/key

Step 2: Retrieve the file from SecretHub

To write the contents of a secret back to a file, use read:

secrethub read --out-file <path to file> <path on SecretHub>

For example, to write the contents stored at your-company/tls/example.com/key on SecretHub to the example.com.key file:

secrethub read --out-file /etc/pki/tls/private/example.com.key your-company/tls/example.com/key

See also

• Writing a secret
• Reading a secret
• How to inject secrets into config files