How do encrypt cached secrets?

[kennym]

How can we encrypt on storing and decrypt on retrieving cached secrets stored in memory?

[simonmarty]

Secrets are encrypted at rest (using KMS) in AWS Secrets Manager and encrypted in transit (using TLS) when you fetch the secret using the AWS SDK. The caching library uses the AWS SDK under the hood.

At some point your application is going to need the plaintext value. You have to trust the execution environment in which you are retrieving the secret. This is irrespective of whether you're retrieving the secret directly using the SDK, or using the caching library. In both cases, the secret plaintext value will sit, unecrypted, in the application memory.

Feel free to elaborate on your use case in case I missed something.