---
title: Stores, certificates, and keys
description: Encryption makes it possible to protect sensitive data. IDM depends on encryption to negotiate secure network connections and to keep sensitive data confidential. Encryption in turn depends on keys which must be stored and secured. IDM stores keys in secret stores, and supports the following secret store types:
component: pingidm
version: 8.1
page_id: pingidm:security-guide:stores-certs-keys
canonical_url: https://docs.pingidentity.com/pingidm/8.1/security-guide/stores-certs-keys.html
keywords: ["Security", "Certificates", "Keys", "Keystores", "Encryption", "Secret stores"]
page_aliases: ["chap-pki.adoc"]
---

# Stores, certificates, and keys

Encryption makes it possible to protect sensitive data. IDM depends on encryption to negotiate secure network connections and to keep sensitive data confidential. Encryption in turn depends on keys which must be stored and secured. IDM stores keys in *secret stores*, and supports the following secret store types:

* *File* secret stores, which have one file that stores many secrets

* *Filesystem* secret stores, which have many files that each store one secret

* *Property* secret stores, which store secrets in properties

* Hardware Security Modules (*HSM*) secret stores, which involve security devices (for example, a YubiKey)

Filesystem and property secret stores may be in the following formats:

* PEM

* PLAIN

* BASE64

* BASE64URL

|   |                                                                                                                     |
| - | ------------------------------------------------------------------------------------------------------------------- |
|   | In production environments, avoid using self-signed certificates and certificates associated with insecure ciphers. |