Skip to main content

Manage your secrets using pxctl

This section provides instructions for managing your authentication credentials and endpoints with the pxctl secrets command. Currently, pxctl provides support for the following secret store providers:

  • Google Cloud KMS
  • KVDB

Before using the pxctl secrets command to manage your secrets, make sure you've configured a secret store provider. See the Secret store management page for more details.


To use encrypted volumes and ACLs, you need to ensure that Portworx is authenticated with the secrets endpoint.


You can use the pxctl CLI tool to:

  • Generate AWS KMS secrets
  • List your AWS KMS secrets.

Generate a secret

To generate a new KMS Data Key, run the pxctl secrets aws generate-kms-data-key command with the --secret_id flag as shown in the following example:

pxctl secrets aws generate-kms-data-key --secret_id mysecret
KMS Data Key successfully created.

List your AWS KMS secrets

You can list your AWS KMS secrets with:

pxctl secrets aws list-secrets

For more details on how to create data keys in AWS KMS and use them to encrypt your Portworx volumes, see the AWS KMS page.

Google Cloud KMS

With pxctl, you can create and list Google Cloud KMS secrets.

Create a new secret

You can create a new secret in Google Cloud KMS running pxctl secrets gcloud create-secret with the following flags:

  • secret-id with the id of the secret.
  • passphrase with the secret passphrase Portworx will associate with secret-id.

As an example, here's how you can generate a new secret in Google Cloud KMS:

pxctl secrets gcloud create-secret --secret_id mysecret --passphrase mysecretpassphrase
Created secret with id:  mysecret

This creates a new key-value pair mysecret=mysecretpassphrase. Portworx will use Google Cloud KMS to encrypt the passphrase mysecretpassphrase and store it in its internal metadata store. To use this passphrase for encrypting volumes, you have to provide the secret ID mysecret while creating/attaching the volume.

Known issue


Fixed in Portworx Enterprise version 2.10.1

  • When the passphrase is over 200 bytes long, users might see the error crypto/rsa: message too long for RSA public key size.

List existing secrets

To list your secrets, run:

pxctl secrets gcloud list-secrets

Kubernetes Secrets

To find out how to configure Portworx with Kubernetes Secrets, see the Kubernetes Secrets page.



To install and configure Vault, see the Vault install page.

For a step-by-step guide on how you can connect your Portworx cluster to a Vault endpoint and then use the Vault endpoint to store secrets, see theVault page.


You can use the pxctl CLI utility to store, list and retrieve KVDB secrets.

Store a secret

To store a secret in KVDB you can run the pxctl secrets kvdb put-secret command and pass it the following flags:

  • --secret_id with the ID of the secret
  • --secret_value with the value of the secret.

Here's an example:

pxctl secrets kvdb put-secret --secret_id my_secret_id secret_id --secret_value my_secret_value
Secret Put succeeded

List existing secrets

Use the following commands to list your secrets:

pxctl secrets kvdb list-secrets
Secret ID

Retrieve a secret

You can retrieve a secret by running pxctl secrets kvdb get-secret with the --secret_id flag as follows:

pxctl secrets kvdb get-secret --secret_id my_secret_id
Secret: [my_secret_id]:[my_secret]

IBM Key Protect

You can use pxctl to list the IDs of your IBM Key Protect secrets by running the following command:

pxctl secrets ibm list-secrets

Set a cluster-wide key

To set an existing secret as the default cluster-wide secret for volume encryption, run the pxctl secrets set-cluster-key command and pass it the following flags:

  • --secret with the secret ID of an existing secret,
  • --overwrite to overwrite the existing cluster-wide secret. Use this command with caution because any existing volumes encrypted with the old secret will be unusable.

The following example sets my_secret_id as the cluster-wide secret:

pxctl secrets set-cluster-key --secret my_secret_id

Dump and upload cluster-wide secrets

See the dump and upload cluster-wide secrets page for details.

Was this page helpful?