Safe and Sound in the Cloud—How Akeyless Protects Your Secrets

One of the underlying themes of the Akeyless Vault Platform is that we put the control of data in your hands. Applications are inherently leaky, especially in the cloud. So how can you trust a SaaS platform with a mission-critical aspect of infrastructure like secrets?

We understand this challenge at Akeyless, so we’ve created a lightweight container that sits on the organizational infrastructure, called the Akeyless Gateway. Easy to deploy, the gateway is an extension of the SaaS into the organization’s infrastructure, and it communicates with Akeyless via an outgoing connection.

Without a gateway, the organization’s environment would be exposed. 

Simply, a SaaS that manages secrets needs to have access to internal resources. To accommodate that, an organization would need to open up ports for that SaaS to access elements of internal infrastructure. These ports are potentially accessible to malicious internet traffic. Instead of exposing these ports unnecessarily, the Akeyless Gateway only opens ports to our SaaS, eliminating traffic from unknown sources and reducing attack surface area.

It’s difficult to deny the utility of SaaS—with zero deployment & low maintenance, secrets management is undeniably easy for our users. Our goal is to provide that convenience without compromising security. 

There are three critical benefits the Akeyless Gateway offers, made possible by its unique placement in the organization’s environment. We’ll discuss these one by one.

  1. Zero Knowledge encryption
  2. Advanced secret types like rotated and dynamic secrets
  3. Caching and performance enhancements

Zero Knowledge Encryption

Zero Knowledge encryption means even Akeyless can’t access your data—ultimately, you get full ownership, because neither your decrypted data or your encryption keys leave your private network. This is possible via the Akeyless Gateway.

Akeyless uses a patented encryption technology that prevents hacks by separating encryption functions. Never-combined parts of the encryption key are kept in different cloud providers. The final piece – what we call the customer fragment – resides within the Akeyless Gateway, where only the organization has access to it.

In other words, data can never be decrypted outside of your environment, and you have full ownership and control over the keys that decrypt your data.

RESOURCE: Learn more about DFC™ and how it keeps your data safe.

Advanced Secret Types

The Akeyless Gateway gives our users the ability to use rotated and dynamic secrets.

Dynamic secrets are temporary, expiring after a set period of time. They are considered the safest option for securing access to your data, as they never assume long-standing access. Users get access only when they need it—no more, no less.

Akeyless users can request for a temporary account with the right level of permissions. Akeyless issues the temporary account to the user. Once the account expires, Akeyless also manages the removal of the temporary account.

Rotated secrets, on the other hand, are secrets that are periodically replaced. This is for longer-standing accounts in which credentials may need to be rotated for security or compliance needs.

Dynamic and rotated secrets are built into the gateway because, in order for Akeyless (or any other platform) to provision temporary accounts, it needs access to internal resources. Since the SaaS connects directly to the Gateway, which sits in the organization’s internal environment, the gateway can securely facilitate the creation of temporary and rotated credentials. With direct access to the systems that house sensitive data, the Gateway acts as an internal orchestrator for temporary and rotated credentials. 

Caching and Performance Enhancements

Akeyless also enables organizations to have live fallback and continuous service capabilities via caching in the Akeyless Gateway. 

Since the Gateway sits on the organization’s local network, it plays an important role in performance. It determines which secrets to store locally, how often, and when to remove them.

For example, the admin can specify whether to cache secrets for a set amount of time, and when the secrets are deleted from the cache. Like a browser cache, this setting improves performance and lowers lag time, deleting secrets when they are not being used and downloading local copies during frequent usage.

In addition, the Gateway allows proactive secret fetching, which can store backups of your vault locally. If you ever disconnect from the vault, you can have peace of mind that everything will carry on as if nothing has changed.


The Akeyless Gateway makes secure secrets management possible in the cloud.

With Zero Knowledge encryption, advanced secret types, and caching mechanisms to improve performance and disaster recovery, the Gateway houses the core functionality that makes the Akeyless Vault Platform unique. It helps us achieve the goal of not only making secrets management easier, but also making it more secure.

To learn more about the Akeyless Vault Platform, book a custom tour of the product today.

See the Akeyless Vault Platform in Action