Secrets management vs secret sharing
They solve different problems.
Two different problems
Secrets management handles storage, rotation, and injection. Your CI pipeline pulls the database password from Vault at deploy time. Nobody types it, nobody sees it.
Secret sharing handles the handoff. A new developer needs the staging password now, before they're set up in Vault. You need to get it from your screen to theirs without leaving a copy in Slack.
What secrets management does
Tools like HashiCorp Vault, AWS Secrets Manager, and Azure Key Vault store credentials, rotate them on a schedule, and inject them into your applications. They solve the problem of long-lived secrets in config files and environment variables.
Your application reads the credential at runtime from the vault. When the credential rotates, the application gets the new one automatically. No human touches it. No human sees it. That's the goal.
What secret sharing does
A self-destructing link gets a credential from one person to another. The credential is encrypted in the sender's browser, stored as ciphertext the server can't read, and deleted after it's opened. It solves the problem of passwords sitting in Slack channels and email threads.
See sharing passwords for how the process works, or sharing API keys for service credentials.
When you need both
Your team uses Vault for production secrets. A new contractor needs the staging database password. Vault can generate short-lived credentials, but setting up the contractor's access takes a day. You need to send them the password now. That's the handoff.
Create the secret with a 1-view limit and a 24-hour expiry. Send the link. The contractor opens it, saves the credential, and the encrypted data is deleted. Once they're set up in Vault, the staging password rotates and they get the new one through the proper channel. See sharing credentials with contractors for the full walkthrough.
Credential sprawl
When credentials end up in Slack DMs, email threads, Confluence pages, and shared Google Docs, that's credential sprawl. Every copy is an exposure surface. Every channel that stores the credential is a channel that could be searched, exported, or compromised.
A secrets manager reduces sprawl by centralising storage. Applications read from the vault instead of from config files checked into version control. A secret-sharing tool reduces sprawl by eliminating persistence in the channel. The credential gets where it needs to go and then stops existing in the transfer medium.
The vault stores it. This sends it.