Handle Sensitive Information in Deployed Applications
You can increase the security of your application code by storing sensitive information, such as passwords, as secrets in your MATLAB® vault.
When you set a secret value in MATLAB, it is stored in your local MATLAB vault. The MATLAB vault provides encrypted and persistent storage for secrets. Your vault and
secrets persist across MATLAB sessions. You can store secrets in your MATLAB vault using the setSecret
function and list currently stored secrets using listSecrets
.
A secret can be any sensitive information that you would like to store securely in an encrypted form. Each secret consists of a name, value, and optional metadata.
Secret name — A unique case-sensitive text identifier for the secret. The secret name is stored unencrypted in your vault as a string scalar.
Secret value — A text value associated with the secret. The Secret Prompt dialog box, where you enter the secret value, supports copy-paste functionality. The secret value is stored encrypted in your vault using industry standard AES-256 encryption. The secret value is returned as a string scalar.
Secret metadata — A dictionary containing additional information associated with the secret. Metadata can aid in the identification, usage, and lifecycle management of the secret. The optional secret metadata is stored unencrypted in your vault.
For example, this secret contains the following database credentials:
Secret name —
"databasePassword"
Secret value —
"CpyA/&qRFzB2$X*jf"
Secret metadata — dictionary (string ⟼ cell) with 3 entries:
"databaseName"
⟼{["productionDB"]}
"host"
⟼{["db.example.com"]}
"port"
⟼{["5432"]}
For more information on secrets and the MATLAB vault, see Keep Sensitive Information Out of Code.
Package Code with Secrets
If the MATLAB code you want to deploy handles sensitive information, you can use the
getSecret
function in your application code to retrieve a secret value, which is decrypted at run
time.
These functions that manage secrets are deployable:
getSecret
– Retrieve a secret from your vault.getSecretMetadata
– Retrieve metadata of a secret in your vault.isSecret
– Determine if a secret exists in your vault.
All other secret management functions, including
setSecret
, are not deployable.
Package Secrets in Deployable Archive
You can use the functionality provided by the MATLAB vault in standalone applications by including secrets in the deployable archive.
To package secrets with a standalone application, you specify the secret names in
a secrets manifest JSON file using the mcc
-J
option. You can also use the -J
flag in the
Additional Runtime Settings area of the compiler
apps.
You can specify a secrets manifest file with
a compiler.build
function using the
SecretsManifest
option. (since R2024b)
For MATLAB
Compiler™ to retrieve secrets from your local MATLAB vault and embed them in the deployable code archive at compile time,
you must call setSecret
in MATLAB to store each secret in your vault before you package your
code.
For an example on creating a standalone application that uses secrets, see Access Sensitive Information in Standalone Application.
Store Secret Values as Environment Variables
As an alternative to packaging secrets within the archive, you can store secret
values in environment variables on the target platform. For instance, if your
deployed code runs in a container, you can set the environment variables when you
create the container instance. Access secrets stored in environment variables using
the getSecret
function, specifying the environment variable name as the
secret name.
In the instance where a secret stored in your vault shares a name with an
environment variable, getSecret
retrieves the value of the
environment variable.
Access Secrets on MATLAB Web App Server
On MATLAB
Web App Server™, secrets are stored in the server vault. To retrieve and use secrets in a
web application, call the getSecret
function in the application code.
The Web App Server administrator can add, remove, or modify secrets stored in the server vault. To manage secrets on MATLAB Web App Server, the administrator can use one of these options:
Use
webapps-secrets
(MATLAB Web App Server) at the command line.Use the graphical interface of the development version of MATLAB Web App Server. For details, see Configure the Development Version of MATLAB Web App Server in MATLAB Compiler.
Note
Security Considerations: On MATLAB Web App Server, the vault file is configured by the Web App Server administrator, who has read and write permissions. Web app worker processes do not have access to this file. Server processes have read permission.
The MATLAB Web App Server also provides functionality to define attribute-based access control rules. These rules enable authenticated individuals to retrieve secrets from the server vault.
By activating policy-based access to secrets on the server, the server administrator can tailor secret access configurations for individual users. This feature is useful for managing secrets across various applications and their respective user bases. It allows web apps to access secret values at run time, for instance, to retrieve unique credentials on a per-user basis.
For information about secrets access control, see Control Secrets Access in MATLAB Web App Server (MATLAB Web App Server).
See Also
setSecret
| getSecret
| isSecret
| webapps-secrets
(MATLAB Web App Server)