--- title: SystemAndEnvSecretStore description: Manage a store of secrets from system properties and environment variables. component: pinggateway version: 2026 page_id: pinggateway:reference:SystemAndEnvSecretStore canonical_url: https://docs.pingidentity.com/pinggateway/2026/reference/SystemAndEnvSecretStore.html revdate: 2025-06-02T18:01:47Z section_ids: SystemAndEnvSecretStore-usage: Usage SystemAndEnvSecretStore-properties: Properties SystemAndEnvSecretStore-log: Log level SystemAndEnvSecretStore-example: Example SystemAndEnvSecretStore-moreinfo: More information --- # SystemAndEnvSecretStore Manage a store of secrets from system properties and environment variables. This secret store can manage GenericSecret and CryptoKey [secret types](../security-guide/keys.html#secret-types) when used with dedicated formats. A secret ID must conform to the convention described in [secret-id](preface.html#definition-secretid). The reference is then transformed to match the environment variable name, as follows: * Periods (.) are converted to underscores. * Characters are transformed to uppercase. For example, `my.secret.id` is transformed to `MY_SECRET_ID`. The secrets provider queries the SystemAndEnvSecretStore for a named secret, identified by the name of a system property or environment variable. The SystemAndEnvSecretStore returns a secret that exactly matches the name. The secrets provider builds the secret, checking that the secret's constraints are met, and returns a unique secret. If the secret's constraints aren't met, the secrets provider cannot build the secret and the secret query fails. Learn how PingGateway manages secrets in [About secrets](../security-guide/keys.html#about-secrets). ## Usage ```json { "name": string, "type": "SystemAndEnvSecretStore", "config": { "format": SecretPropertyFormat reference, "mappings": [ object, ... ], "leaseExpiry": configuration expression } } ``` ## Properties * `format`: *SecretPropertyFormat [reference](preface.html#definition-reference), optional* Format in which the secret is stored. Use one of the following values or define a format: * `BASE64`: Base64-encoded The original secret prior to base64-encoding must use UTF-8 encoding. * `PLAIN`: Plain text The text must use UTF-8 encoding. Default: `BASE64` * `"mappings"`: *array of [objects](preface.html#definition-object), optional* One or more mappings to define a secret: * `secretId`: *configuration expression<[secret-id](preface.html#definition-secretid)>, required* The ID of the secret used in your configuration. * `format`: *SecretPropertyFormat [reference](preface.html#definition-reference), required* The format and algorithm of the secret. Use [SecretKeyPropertyFormat](SecretKeyPropertyFormat.html) or [PemPropertyFormat](PemPropertyFormat.html). * `"leaseExpiry"`: *configuration expression<[duration](preface.html#definition-duration)>, optional* The amount of time that secrets produced by this store can be cached before they must be refreshed. If the duration is `zero` or `unlimited`, PingGateway issues a warning, and uses the default value. Default: 5 minutes ## Log level To facilitate debugging secrets for the SystemAndEnvSecretStore, in `logback.xml` add a logger defined by the fully qualified package name of the property resolver. The following line in `logback.xml` sets the log level to `ALL`: ```xml ``` ## Example For an example of how to use a SystemAndEnvSecretStore to manage a password, refer to [Using the default PingAM journey](../gateway-guide/proc-sso.html). ## More information [Secrets](secrets.html) [org.forgerock.openig.secrets.SystemAndEnvSecretStoreHeaplet](../_attachments/apidocs/org/forgerock/openig/secrets/SystemAndEnvSecretStoreHeaplet.html)