Secret Management for Windows Server
This guide will show you how to provision an application running on a Windows Server with the secrets it needs.
To make life easy, you can use demo app from the Getting Started guide to have something to deploy to a test server.
If your servers run in the cloud, check out the cloud-specific guides instead that cover how to authenticate to SecretHub using cloud-native services, so you don’t have to deal with service credentials:
- AWS EC2
- GCP Compute Engine (coming soon)
- Azure Virtual Machines (coming soon)
Before you begin
Before you start using SecretHub on Windows Server, make sure you have:
- Followed the Getting Started Guide.
- Set up remote desktop access to a test server.
- Open a port on the server, so you can see the result.
Step 1: Create a service account for the demo app
Let’s deploy the app to a Windows test server in your datacenter.
The first step here is to create a service account for the demo app by running
This command generates a new credential for the app to fetch and decrypt the secrets, which you can store in a file like so:
secrethub service init your-username/demo \ --description demo-app \ --permission read > credential
Now upload the credential file to the Windows Server and place it in
The SecretHub CLI will look for the credential at this location.
Step 2: Install the CLI on the Server
With the service credential in place, the next step is to install the SecretHub CLI on the Windows Server.
Step 3: Run the app
Create or move the
secrethub.env file we used earlier and wrap the demo app start command in
secrethub run, setting the
--port flag to an open port on the machine:
secrethub run -- secrethub demo serve --host 0.0.0.0 --port 1234
Visit the webpage and see it in action!
There you have it, an app running on a Windows Server, provisioned with the secrets it needs. Check out the audit log, and you’ll see reads done by this service account being logged. If you want to rotate the secret, just write a new version to SecretHub and restart the apps that consume it. No config updates needed.