diff --git a/pkg/plugins/backendplugin/grpcplugin/client.go b/pkg/plugins/backendplugin/grpcplugin/client.go
index 706c7e2504c..f8372c3fb0d 100644
--- a/pkg/plugins/backendplugin/grpcplugin/client.go
+++ b/pkg/plugins/backendplugin/grpcplugin/client.go
@@ -7,6 +7,7 @@ import (
 	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin/pluginextensionv2"
+	"github.com/grafana/grafana/pkg/plugins/backendplugin/secretsmanagerplugin"
 	goplugin "github.com/hashicorp/go-plugin"
 )
 
@@ -41,23 +42,28 @@ func newClientConfig(executablePath string, env []string, logger log.Logger,
 // StartRendererFunc callback function called when a renderer plugin is started.
 type StartRendererFunc func(pluginID string, renderer pluginextensionv2.RendererPlugin, logger log.Logger) error
 
+// StartSecretsManagerFunc callback function called when a secrets manager plugin is started.
+type StartSecretsManagerFunc func(pluginID string, secretsmanager secretsmanagerplugin.SecretsManagerPlugin, logger log.Logger) error
+
 // PluginDescriptor is a descriptor used for registering backend plugins.
 type PluginDescriptor struct {
-	pluginID         string
-	executablePath   string
-	managed          bool
-	versionedPlugins map[int]goplugin.PluginSet
-	startRendererFn  StartRendererFunc
+	pluginID              string
+	executablePath        string
+	managed               bool
+	versionedPlugins      map[int]goplugin.PluginSet
+	startRendererFn       StartRendererFunc
+	startSecretsManagerFn StartSecretsManagerFunc
 }
 
 // getV2PluginSet returns list of plugins supported on v2.
 func getV2PluginSet() goplugin.PluginSet {
 	return goplugin.PluginSet{
-		"diagnostics": &grpcplugin.DiagnosticsGRPCPlugin{},
-		"resource":    &grpcplugin.ResourceGRPCPlugin{},
-		"data":        &grpcplugin.DataGRPCPlugin{},
-		"stream":      &grpcplugin.StreamGRPCPlugin{},
-		"renderer":    &pluginextensionv2.RendererGRPCPlugin{},
+		"diagnostics":    &grpcplugin.DiagnosticsGRPCPlugin{},
+		"resource":       &grpcplugin.ResourceGRPCPlugin{},
+		"data":           &grpcplugin.DataGRPCPlugin{},
+		"stream":         &grpcplugin.StreamGRPCPlugin{},
+		"renderer":       &pluginextensionv2.RendererGRPCPlugin{},
+		"secretsmanager": &secretsmanagerplugin.SecretsManagerGRPCPlugin{},
 	}
 }
 
@@ -85,3 +91,16 @@ func NewRendererPlugin(pluginID, executablePath string, startFn StartRendererFun
 		startRendererFn: startFn,
 	})
 }
+
+// NewSecetsManagerPlugin creates a new secrets manager plugin factory used for registering a backend secrets manager plugin.
+func NewSecretsManagerPlugin(pluginID, executablePath string, startFn StartSecretsManagerFunc) backendplugin.PluginFactoryFunc {
+	return newPlugin(PluginDescriptor{
+		pluginID:       pluginID,
+		executablePath: executablePath,
+		managed:        false,
+		versionedPlugins: map[int]goplugin.PluginSet{
+			grpcplugin.ProtocolVersion: getV2PluginSet(),
+		},
+		startSecretsManagerFn: startFn,
+	})
+}
diff --git a/pkg/plugins/backendplugin/grpcplugin/client_v2.go b/pkg/plugins/backendplugin/grpcplugin/client_v2.go
index 7f3f0f9b1a3..945f72c3f8c 100644
--- a/pkg/plugins/backendplugin/grpcplugin/client_v2.go
+++ b/pkg/plugins/backendplugin/grpcplugin/client_v2.go
@@ -12,6 +12,7 @@ import (
 	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin/pluginextensionv2"
+	"github.com/grafana/grafana/pkg/plugins/backendplugin/secretsmanagerplugin"
 	"github.com/hashicorp/go-plugin"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
@@ -23,6 +24,7 @@ type ClientV2 struct {
 	grpcplugin.DataClient
 	grpcplugin.StreamClient
 	pluginextensionv2.RendererPlugin
+	secretsmanagerplugin.SecretsManagerPlugin
 }
 
 func newClientV2(descriptor PluginDescriptor, logger log.Logger, rpcClient plugin.ClientProtocol) (pluginClient, error) {
@@ -51,6 +53,11 @@ func newClientV2(descriptor PluginDescriptor, logger log.Logger, rpcClient plugi
 		return nil, err
 	}
 
+	rawSecretsManager, err := rpcClient.Dispense("secretsmanager")
+	if err != nil {
+		return nil, err
+	}
+
 	c := ClientV2{}
 	if rawDiagnostics != nil {
 		if diagnosticsClient, ok := rawDiagnostics.(grpcplugin.DiagnosticsClient); ok {
@@ -82,12 +89,24 @@ func newClientV2(descriptor PluginDescriptor, logger log.Logger, rpcClient plugi
 		}
 	}
 
+	if rawSecretsManager != nil {
+		if secretsManagerPlugin, ok := rawSecretsManager.(secretsmanagerplugin.SecretsManagerPlugin); ok {
+			c.SecretsManagerPlugin = secretsManagerPlugin
+		}
+	}
+
 	if descriptor.startRendererFn != nil {
 		if err := descriptor.startRendererFn(descriptor.pluginID, c.RendererPlugin, logger); err != nil {
 			return nil, err
 		}
 	}
 
+	if descriptor.startSecretsManagerFn != nil {
+		if err := descriptor.startSecretsManagerFn(descriptor.pluginID, c.SecretsManagerPlugin, logger); err != nil {
+			return nil, err
+		}
+	}
+
 	return &c, nil
 }
 
diff --git a/pkg/plugins/backendplugin/provider/provider.go b/pkg/plugins/backendplugin/provider/provider.go
index 406f1f70639..218d89df5e1 100644
--- a/pkg/plugins/backendplugin/provider/provider.go
+++ b/pkg/plugins/backendplugin/provider/provider.go
@@ -13,6 +13,7 @@ import (
 	"github.com/grafana/grafana/pkg/plugins/backendplugin/coreplugin"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin/grpcplugin"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin/pluginextensionv2"
+	"github.com/grafana/grafana/pkg/plugins/backendplugin/secretsmanagerplugin"
 )
 
 // PluginBackendProvider is a function type for initializing a Plugin backend.
@@ -24,7 +25,7 @@ type Service struct {
 
 func New(providers ...PluginBackendProvider) *Service {
 	if len(providers) == 0 {
-		return New(RendererProvider, DefaultProvider)
+		return New(RendererProvider, SecretsManagerProvider, DefaultProvider)
 	}
 	return &Service{
 		providerChain: providers,
@@ -32,7 +33,7 @@ func New(providers ...PluginBackendProvider) *Service {
 }
 
 func ProvideService(coreRegistry *coreplugin.Registry) *Service {
-	return New(coreRegistry.BackendFactoryProvider(), RendererProvider, DefaultProvider)
+	return New(coreRegistry.BackendFactoryProvider(), RendererProvider, SecretsManagerProvider, DefaultProvider)
 }
 
 func (s *Service) BackendFactory(ctx context.Context, p *plugins.Plugin) backendplugin.PluginFactoryFunc {
@@ -56,6 +57,18 @@ var RendererProvider PluginBackendProvider = func(_ context.Context, p *plugins.
 	)
 }
 
+var SecretsManagerProvider PluginBackendProvider = func(_ context.Context, p *plugins.Plugin) backendplugin.PluginFactoryFunc {
+	if !p.IsSecretsManager() {
+		return nil
+	}
+	return grpcplugin.NewSecretsManagerPlugin(p.ID, filepath.Join(p.PluginDir, secretsManagerStartCmd()),
+		func(pluginID string, secretsmanager secretsmanagerplugin.SecretsManagerPlugin, logger log.Logger) error {
+			p.SecretsManager = secretsmanager
+			return nil
+		},
+	)
+}
+
 var DefaultProvider PluginBackendProvider = func(_ context.Context, p *plugins.Plugin) backendplugin.PluginFactoryFunc {
 	// TODO check for executable
 	return grpcplugin.NewBackendPlugin(p.ID, filepath.Join(p.PluginDir, pluginStartCmd(p.Executable)))
@@ -84,3 +97,15 @@ func rendererStartCmd() string {
 
 	return fmt.Sprintf("%s_%s_%s%s", "plugin_start", os, strings.ToLower(arch), extension)
 }
+
+func secretsManagerStartCmd() string {
+	os := strings.ToLower(runtime.GOOS)
+	arch := runtime.GOARCH
+	extension := ""
+
+	if os == "windows" {
+		extension = ".exe"
+	}
+
+	return fmt.Sprintf("%s_%s_%s%s", "secrets_plugin_start", os, strings.ToLower(arch), extension)
+}
diff --git a/pkg/plugins/backendplugin/secretsmanagerplugin/generate.sh b/pkg/plugins/backendplugin/secretsmanagerplugin/generate.sh
new file mode 100755
index 00000000000..2da8cabab71
--- /dev/null
+++ b/pkg/plugins/backendplugin/secretsmanagerplugin/generate.sh
@@ -0,0 +1,3 @@
+protoc --go_out=. --go_opt=paths=source_relative \
+    --go-grpc_out=. --go-grpc_opt=paths=source_relative \
+    secretsmanager.proto   
\ No newline at end of file
diff --git a/pkg/plugins/backendplugin/secretsmanagerplugin/secretsmanager.pb.go b/pkg/plugins/backendplugin/secretsmanagerplugin/secretsmanager.pb.go
new file mode 100644
index 00000000000..f410ac2a916
--- /dev/null
+++ b/pkg/plugins/backendplugin/secretsmanagerplugin/secretsmanager.pb.go
@@ -0,0 +1,786 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.28.0
+// 	protoc        v3.19.4
+// source: secretsmanager.proto
+
+package secretsmanagerplugin
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type SecretsGetRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	KeyDescriptor *Key `protobuf:"bytes,1,opt,name=keyDescriptor,proto3" json:"keyDescriptor,omitempty"`
+}
+
+func (x *SecretsGetRequest) Reset() {
+	*x = SecretsGetRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_secretsmanager_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SecretsGetRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SecretsGetRequest) ProtoMessage() {}
+
+func (x *SecretsGetRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_secretsmanager_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SecretsGetRequest.ProtoReflect.Descriptor instead.
+func (*SecretsGetRequest) Descriptor() ([]byte, []int) {
+	return file_secretsmanager_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *SecretsGetRequest) GetKeyDescriptor() *Key {
+	if x != nil {
+		return x.KeyDescriptor
+	}
+	return nil
+}
+
+type SecretsSetRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	KeyDescriptor *Key   `protobuf:"bytes,1,opt,name=keyDescriptor,proto3" json:"keyDescriptor,omitempty"`
+	Value         string `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"`
+}
+
+func (x *SecretsSetRequest) Reset() {
+	*x = SecretsSetRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_secretsmanager_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SecretsSetRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SecretsSetRequest) ProtoMessage() {}
+
+func (x *SecretsSetRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_secretsmanager_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SecretsSetRequest.ProtoReflect.Descriptor instead.
+func (*SecretsSetRequest) Descriptor() ([]byte, []int) {
+	return file_secretsmanager_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *SecretsSetRequest) GetKeyDescriptor() *Key {
+	if x != nil {
+		return x.KeyDescriptor
+	}
+	return nil
+}
+
+func (x *SecretsSetRequest) GetValue() string {
+	if x != nil {
+		return x.Value
+	}
+	return ""
+}
+
+type SecretsDelRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	KeyDescriptor *Key `protobuf:"bytes,1,opt,name=keyDescriptor,proto3" json:"keyDescriptor,omitempty"`
+}
+
+func (x *SecretsDelRequest) Reset() {
+	*x = SecretsDelRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_secretsmanager_proto_msgTypes[2]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SecretsDelRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SecretsDelRequest) ProtoMessage() {}
+
+func (x *SecretsDelRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_secretsmanager_proto_msgTypes[2]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SecretsDelRequest.ProtoReflect.Descriptor instead.
+func (*SecretsDelRequest) Descriptor() ([]byte, []int) {
+	return file_secretsmanager_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *SecretsDelRequest) GetKeyDescriptor() *Key {
+	if x != nil {
+		return x.KeyDescriptor
+	}
+	return nil
+}
+
+type SecretsKeysRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	KeyDescriptor    *Key `protobuf:"bytes,1,opt,name=keyDescriptor,proto3" json:"keyDescriptor,omitempty"`
+	AllOrganizations bool `protobuf:"varint,2,opt,name=allOrganizations,proto3" json:"allOrganizations,omitempty"`
+}
+
+func (x *SecretsKeysRequest) Reset() {
+	*x = SecretsKeysRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_secretsmanager_proto_msgTypes[3]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SecretsKeysRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SecretsKeysRequest) ProtoMessage() {}
+
+func (x *SecretsKeysRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_secretsmanager_proto_msgTypes[3]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SecretsKeysRequest.ProtoReflect.Descriptor instead.
+func (*SecretsKeysRequest) Descriptor() ([]byte, []int) {
+	return file_secretsmanager_proto_rawDescGZIP(), []int{3}
+}
+
+func (x *SecretsKeysRequest) GetKeyDescriptor() *Key {
+	if x != nil {
+		return x.KeyDescriptor
+	}
+	return nil
+}
+
+func (x *SecretsKeysRequest) GetAllOrganizations() bool {
+	if x != nil {
+		return x.AllOrganizations
+	}
+	return false
+}
+
+type SecretsRenameRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	KeyDescriptor *Key   `protobuf:"bytes,1,opt,name=keyDescriptor,proto3" json:"keyDescriptor,omitempty"`
+	NewNamespace  string `protobuf:"bytes,4,opt,name=newNamespace,proto3" json:"newNamespace,omitempty"`
+}
+
+func (x *SecretsRenameRequest) Reset() {
+	*x = SecretsRenameRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_secretsmanager_proto_msgTypes[4]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SecretsRenameRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SecretsRenameRequest) ProtoMessage() {}
+
+func (x *SecretsRenameRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_secretsmanager_proto_msgTypes[4]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SecretsRenameRequest.ProtoReflect.Descriptor instead.
+func (*SecretsRenameRequest) Descriptor() ([]byte, []int) {
+	return file_secretsmanager_proto_rawDescGZIP(), []int{4}
+}
+
+func (x *SecretsRenameRequest) GetKeyDescriptor() *Key {
+	if x != nil {
+		return x.KeyDescriptor
+	}
+	return nil
+}
+
+func (x *SecretsRenameRequest) GetNewNamespace() string {
+	if x != nil {
+		return x.NewNamespace
+	}
+	return ""
+}
+
+type Key struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	OrgId     int64  `protobuf:"varint,1,opt,name=orgId,proto3" json:"orgId,omitempty"`
+	Namespace string `protobuf:"bytes,2,opt,name=namespace,proto3" json:"namespace,omitempty"`
+	Type      string `protobuf:"bytes,3,opt,name=type,proto3" json:"type,omitempty"`
+}
+
+func (x *Key) Reset() {
+	*x = Key{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_secretsmanager_proto_msgTypes[5]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *Key) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Key) ProtoMessage() {}
+
+func (x *Key) ProtoReflect() protoreflect.Message {
+	mi := &file_secretsmanager_proto_msgTypes[5]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Key.ProtoReflect.Descriptor instead.
+func (*Key) Descriptor() ([]byte, []int) {
+	return file_secretsmanager_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *Key) GetOrgId() int64 {
+	if x != nil {
+		return x.OrgId
+	}
+	return 0
+}
+
+func (x *Key) GetNamespace() string {
+	if x != nil {
+		return x.Namespace
+	}
+	return ""
+}
+
+func (x *Key) GetType() string {
+	if x != nil {
+		return x.Type
+	}
+	return ""
+}
+
+type SecretsErrorResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Error string `protobuf:"bytes,1,opt,name=error,proto3" json:"error,omitempty"`
+}
+
+func (x *SecretsErrorResponse) Reset() {
+	*x = SecretsErrorResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_secretsmanager_proto_msgTypes[6]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SecretsErrorResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SecretsErrorResponse) ProtoMessage() {}
+
+func (x *SecretsErrorResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_secretsmanager_proto_msgTypes[6]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SecretsErrorResponse.ProtoReflect.Descriptor instead.
+func (*SecretsErrorResponse) Descriptor() ([]byte, []int) {
+	return file_secretsmanager_proto_rawDescGZIP(), []int{6}
+}
+
+func (x *SecretsErrorResponse) GetError() string {
+	if x != nil {
+		return x.Error
+	}
+	return ""
+}
+
+type SecretsGetResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Error          string `protobuf:"bytes,1,opt,name=error,proto3" json:"error,omitempty"`
+	DecryptedValue string `protobuf:"bytes,2,opt,name=decryptedValue,proto3" json:"decryptedValue,omitempty"`
+	Exists         bool   `protobuf:"varint,3,opt,name=exists,proto3" json:"exists,omitempty"`
+}
+
+func (x *SecretsGetResponse) Reset() {
+	*x = SecretsGetResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_secretsmanager_proto_msgTypes[7]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SecretsGetResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SecretsGetResponse) ProtoMessage() {}
+
+func (x *SecretsGetResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_secretsmanager_proto_msgTypes[7]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SecretsGetResponse.ProtoReflect.Descriptor instead.
+func (*SecretsGetResponse) Descriptor() ([]byte, []int) {
+	return file_secretsmanager_proto_rawDescGZIP(), []int{7}
+}
+
+func (x *SecretsGetResponse) GetError() string {
+	if x != nil {
+		return x.Error
+	}
+	return ""
+}
+
+func (x *SecretsGetResponse) GetDecryptedValue() string {
+	if x != nil {
+		return x.DecryptedValue
+	}
+	return ""
+}
+
+func (x *SecretsGetResponse) GetExists() bool {
+	if x != nil {
+		return x.Exists
+	}
+	return false
+}
+
+type SecretsKeysResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Error string `protobuf:"bytes,1,opt,name=error,proto3" json:"error,omitempty"`
+	Keys  []*Key `protobuf:"bytes,2,rep,name=keys,proto3" json:"keys,omitempty"`
+}
+
+func (x *SecretsKeysResponse) Reset() {
+	*x = SecretsKeysResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_secretsmanager_proto_msgTypes[8]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SecretsKeysResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SecretsKeysResponse) ProtoMessage() {}
+
+func (x *SecretsKeysResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_secretsmanager_proto_msgTypes[8]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SecretsKeysResponse.ProtoReflect.Descriptor instead.
+func (*SecretsKeysResponse) Descriptor() ([]byte, []int) {
+	return file_secretsmanager_proto_rawDescGZIP(), []int{8}
+}
+
+func (x *SecretsKeysResponse) GetError() string {
+	if x != nil {
+		return x.Error
+	}
+	return ""
+}
+
+func (x *SecretsKeysResponse) GetKeys() []*Key {
+	if x != nil {
+		return x.Keys
+	}
+	return nil
+}
+
+var File_secretsmanager_proto protoreflect.FileDescriptor
+
+var file_secretsmanager_proto_rawDesc = []byte{
+	0x0a, 0x14, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72,
+	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x14, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x6d,
+	0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x22, 0x54, 0x0a, 0x11,
+	0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x47, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x12, 0x3f, 0x0a, 0x0d, 0x6b, 0x65, 0x79, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74,
+	0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x73, 0x65, 0x63, 0x72, 0x65,
+	0x74, 0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e,
+	0x4b, 0x65, 0x79, 0x52, 0x0d, 0x6b, 0x65, 0x79, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74,
+	0x6f, 0x72, 0x22, 0x6a, 0x0a, 0x11, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x53, 0x65, 0x74,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x3f, 0x0a, 0x0d, 0x6b, 0x65, 0x79, 0x44, 0x65,
+	0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19,
+	0x2e, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x70,
+	0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x4b, 0x65, 0x79, 0x52, 0x0d, 0x6b, 0x65, 0x79, 0x44, 0x65,
+	0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75,
+	0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x54,
+	0x0a, 0x11, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x44, 0x65, 0x6c, 0x52, 0x65, 0x71, 0x75,
+	0x65, 0x73, 0x74, 0x12, 0x3f, 0x0a, 0x0d, 0x6b, 0x65, 0x79, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69,
+	0x70, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x73, 0x65, 0x63,
+	0x72, 0x65, 0x74, 0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x70, 0x6c, 0x75, 0x67, 0x69,
+	0x6e, 0x2e, 0x4b, 0x65, 0x79, 0x52, 0x0d, 0x6b, 0x65, 0x79, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69,
+	0x70, 0x74, 0x6f, 0x72, 0x22, 0x81, 0x01, 0x0a, 0x12, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73,
+	0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x3f, 0x0a, 0x0d, 0x6b,
+	0x65, 0x79, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01,
+	0x28, 0x0b, 0x32, 0x19, 0x2e, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x6d, 0x61, 0x6e, 0x61,
+	0x67, 0x65, 0x72, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x4b, 0x65, 0x79, 0x52, 0x0d, 0x6b,
+	0x65, 0x79, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x12, 0x2a, 0x0a, 0x10,
+	0x61, 0x6c, 0x6c, 0x4f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x10, 0x61, 0x6c, 0x6c, 0x4f, 0x72, 0x67, 0x61, 0x6e,
+	0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x22, 0x7b, 0x0a, 0x14, 0x53, 0x65, 0x63, 0x72,
+	0x65, 0x74, 0x73, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x12, 0x3f, 0x0a, 0x0d, 0x6b, 0x65, 0x79, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f,
+	0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74,
+	0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x4b,
+	0x65, 0x79, 0x52, 0x0d, 0x6b, 0x65, 0x79, 0x44, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f,
+	0x72, 0x12, 0x22, 0x0a, 0x0c, 0x6e, 0x65, 0x77, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63,
+	0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x6e, 0x65, 0x77, 0x4e, 0x61, 0x6d, 0x65,
+	0x73, 0x70, 0x61, 0x63, 0x65, 0x22, 0x4d, 0x0a, 0x03, 0x4b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05,
+	0x6f, 0x72, 0x67, 0x49, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x05, 0x6f, 0x72, 0x67,
+	0x49, 0x64, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18,
+	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65,
+	0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
+	0x74, 0x79, 0x70, 0x65, 0x22, 0x2c, 0x0a, 0x14, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x45,
+	0x72, 0x72, 0x6f, 0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x14, 0x0a, 0x05,
+	0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x72, 0x72,
+	0x6f, 0x72, 0x22, 0x6a, 0x0a, 0x12, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x47, 0x65, 0x74,
+	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f,
+	0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x12, 0x26,
+	0x0a, 0x0e, 0x64, 0x65, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x56, 0x61, 0x6c, 0x75, 0x65,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x64, 0x65, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65,
+	0x64, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x65, 0x78, 0x69, 0x73, 0x74, 0x73,
+	0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x06, 0x65, 0x78, 0x69, 0x73, 0x74, 0x73, 0x22, 0x5a,
+	0x0a, 0x13, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x12, 0x2d, 0x0a, 0x04, 0x6b,
+	0x65, 0x79, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x73, 0x65, 0x63, 0x72,
+	0x65, 0x74, 0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e,
+	0x2e, 0x4b, 0x65, 0x79, 0x52, 0x04, 0x6b, 0x65, 0x79, 0x73, 0x32, 0xe7, 0x03, 0x0a, 0x14, 0x52,
+	0x65, 0x6d, 0x6f, 0x74, 0x65, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x4d, 0x61, 0x6e, 0x61,
+	0x67, 0x65, 0x72, 0x12, 0x58, 0x0a, 0x03, 0x47, 0x65, 0x74, 0x12, 0x27, 0x2e, 0x73, 0x65, 0x63,
+	0x72, 0x65, 0x74, 0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x70, 0x6c, 0x75, 0x67, 0x69,
+	0x6e, 0x2e, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x47, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75,
+	0x65, 0x73, 0x74, 0x1a, 0x28, 0x2e, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x6d, 0x61, 0x6e,
+	0x61, 0x67, 0x65, 0x72, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x53, 0x65, 0x63, 0x72, 0x65,
+	0x74, 0x73, 0x47, 0x65, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x5a, 0x0a,
+	0x03, 0x53, 0x65, 0x74, 0x12, 0x27, 0x2e, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x6d, 0x61,
+	0x6e, 0x61, 0x67, 0x65, 0x72, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x53, 0x65, 0x63, 0x72,
+	0x65, 0x74, 0x73, 0x53, 0x65, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2a, 0x2e,
+	0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x70, 0x6c,
+	0x75, 0x67, 0x69, 0x6e, 0x2e, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x45, 0x72, 0x72, 0x6f,
+	0x72, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x5a, 0x0a, 0x03, 0x44, 0x65, 0x6c,
+	0x12, 0x27, 0x2e, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
+	0x72, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x44,
+	0x65, 0x6c, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2a, 0x2e, 0x73, 0x65, 0x63, 0x72,
+	0x65, 0x74, 0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e,
+	0x2e, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x5b, 0x0a, 0x04, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x28, 0x2e,
+	0x73, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x70, 0x6c,
+	0x75, 0x67, 0x69, 0x6e, 0x2e, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x4b, 0x65, 0x79, 0x73,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x29, 0x2e, 0x73, 0x65, 0x63, 0x72, 0x65, 0x74,
+	0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x53,
+	0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
+	0x73, 0x65, 0x12, 0x60, 0x0a, 0x06, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x2a, 0x2e, 0x73,
+	0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x70, 0x6c, 0x75,
+	0x67, 0x69, 0x6e, 0x2e, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x52, 0x65, 0x6e, 0x61, 0x6d,
+	0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2a, 0x2e, 0x73, 0x65, 0x63, 0x72, 0x65,
+	0x74, 0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e,
+	0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x52, 0x65, 0x73, 0x70,
+	0x6f, 0x6e, 0x73, 0x65, 0x42, 0x19, 0x5a, 0x17, 0x2e, 0x2f, 0x3b, 0x73, 0x65, 0x63, 0x72, 0x65,
+	0x74, 0x73, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x72, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x62,
+	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_secretsmanager_proto_rawDescOnce sync.Once
+	file_secretsmanager_proto_rawDescData = file_secretsmanager_proto_rawDesc
+)
+
+func file_secretsmanager_proto_rawDescGZIP() []byte {
+	file_secretsmanager_proto_rawDescOnce.Do(func() {
+		file_secretsmanager_proto_rawDescData = protoimpl.X.CompressGZIP(file_secretsmanager_proto_rawDescData)
+	})
+	return file_secretsmanager_proto_rawDescData
+}
+
+var file_secretsmanager_proto_msgTypes = make([]protoimpl.MessageInfo, 9)
+var file_secretsmanager_proto_goTypes = []interface{}{
+	(*SecretsGetRequest)(nil),    // 0: secretsmanagerplugin.SecretsGetRequest
+	(*SecretsSetRequest)(nil),    // 1: secretsmanagerplugin.SecretsSetRequest
+	(*SecretsDelRequest)(nil),    // 2: secretsmanagerplugin.SecretsDelRequest
+	(*SecretsKeysRequest)(nil),   // 3: secretsmanagerplugin.SecretsKeysRequest
+	(*SecretsRenameRequest)(nil), // 4: secretsmanagerplugin.SecretsRenameRequest
+	(*Key)(nil),                  // 5: secretsmanagerplugin.Key
+	(*SecretsErrorResponse)(nil), // 6: secretsmanagerplugin.SecretsErrorResponse
+	(*SecretsGetResponse)(nil),   // 7: secretsmanagerplugin.SecretsGetResponse
+	(*SecretsKeysResponse)(nil),  // 8: secretsmanagerplugin.SecretsKeysResponse
+}
+var file_secretsmanager_proto_depIdxs = []int32{
+	5,  // 0: secretsmanagerplugin.SecretsGetRequest.keyDescriptor:type_name -> secretsmanagerplugin.Key
+	5,  // 1: secretsmanagerplugin.SecretsSetRequest.keyDescriptor:type_name -> secretsmanagerplugin.Key
+	5,  // 2: secretsmanagerplugin.SecretsDelRequest.keyDescriptor:type_name -> secretsmanagerplugin.Key
+	5,  // 3: secretsmanagerplugin.SecretsKeysRequest.keyDescriptor:type_name -> secretsmanagerplugin.Key
+	5,  // 4: secretsmanagerplugin.SecretsRenameRequest.keyDescriptor:type_name -> secretsmanagerplugin.Key
+	5,  // 5: secretsmanagerplugin.SecretsKeysResponse.keys:type_name -> secretsmanagerplugin.Key
+	0,  // 6: secretsmanagerplugin.RemoteSecretsManager.Get:input_type -> secretsmanagerplugin.SecretsGetRequest
+	1,  // 7: secretsmanagerplugin.RemoteSecretsManager.Set:input_type -> secretsmanagerplugin.SecretsSetRequest
+	2,  // 8: secretsmanagerplugin.RemoteSecretsManager.Del:input_type -> secretsmanagerplugin.SecretsDelRequest
+	3,  // 9: secretsmanagerplugin.RemoteSecretsManager.Keys:input_type -> secretsmanagerplugin.SecretsKeysRequest
+	4,  // 10: secretsmanagerplugin.RemoteSecretsManager.Rename:input_type -> secretsmanagerplugin.SecretsRenameRequest
+	7,  // 11: secretsmanagerplugin.RemoteSecretsManager.Get:output_type -> secretsmanagerplugin.SecretsGetResponse
+	6,  // 12: secretsmanagerplugin.RemoteSecretsManager.Set:output_type -> secretsmanagerplugin.SecretsErrorResponse
+	6,  // 13: secretsmanagerplugin.RemoteSecretsManager.Del:output_type -> secretsmanagerplugin.SecretsErrorResponse
+	8,  // 14: secretsmanagerplugin.RemoteSecretsManager.Keys:output_type -> secretsmanagerplugin.SecretsKeysResponse
+	6,  // 15: secretsmanagerplugin.RemoteSecretsManager.Rename:output_type -> secretsmanagerplugin.SecretsErrorResponse
+	11, // [11:16] is the sub-list for method output_type
+	6,  // [6:11] is the sub-list for method input_type
+	6,  // [6:6] is the sub-list for extension type_name
+	6,  // [6:6] is the sub-list for extension extendee
+	0,  // [0:6] is the sub-list for field type_name
+}
+
+func init() { file_secretsmanager_proto_init() }
+func file_secretsmanager_proto_init() {
+	if File_secretsmanager_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_secretsmanager_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SecretsGetRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_secretsmanager_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SecretsSetRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_secretsmanager_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SecretsDelRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_secretsmanager_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SecretsKeysRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_secretsmanager_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SecretsRenameRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_secretsmanager_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*Key); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_secretsmanager_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SecretsErrorResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_secretsmanager_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SecretsGetResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_secretsmanager_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SecretsKeysResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_secretsmanager_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   9,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_secretsmanager_proto_goTypes,
+		DependencyIndexes: file_secretsmanager_proto_depIdxs,
+		MessageInfos:      file_secretsmanager_proto_msgTypes,
+	}.Build()
+	File_secretsmanager_proto = out.File
+	file_secretsmanager_proto_rawDesc = nil
+	file_secretsmanager_proto_goTypes = nil
+	file_secretsmanager_proto_depIdxs = nil
+}
diff --git a/pkg/plugins/backendplugin/secretsmanagerplugin/secretsmanager.proto b/pkg/plugins/backendplugin/secretsmanagerplugin/secretsmanager.proto
new file mode 100644
index 00000000000..0ab75cdf9d7
--- /dev/null
+++ b/pkg/plugins/backendplugin/secretsmanagerplugin/secretsmanager.proto
@@ -0,0 +1,56 @@
+syntax = "proto3";
+package secretsmanagerplugin;
+
+option go_package = "./;secretsmanagerplugin";
+
+message SecretsGetRequest {
+    Key keyDescriptor = 1;
+}
+
+message SecretsSetRequest {
+    Key keyDescriptor = 1;
+    string value = 2;
+}
+
+message SecretsDelRequest {
+    Key keyDescriptor = 1;
+}
+
+message SecretsKeysRequest {
+    Key keyDescriptor = 1;
+    bool allOrganizations = 2;
+}
+
+message SecretsRenameRequest {
+    Key keyDescriptor = 1;
+    string newNamespace = 2;
+}
+
+message Key {
+    int64 orgId = 1;
+    string namespace = 2;
+    string type = 3;
+}
+
+message SecretsErrorResponse {
+    string error = 1;
+}
+
+message SecretsGetResponse {
+    string error = 1;
+    string decryptedValue = 2;
+    bool exists = 3;  
+}
+
+message SecretsKeysResponse {
+    string error = 1;
+    repeated Key keys = 2;
+}
+
+service RemoteSecretsManager {
+    rpc Get(SecretsGetRequest) returns (SecretsGetResponse);
+    rpc Set(SecretsSetRequest) returns (SecretsErrorResponse);
+    rpc Del(SecretsDelRequest) returns (SecretsErrorResponse);
+    rpc Keys(SecretsKeysRequest) returns (SecretsKeysResponse);
+    rpc Rename(SecretsRenameRequest) returns (SecretsErrorResponse);
+}
\ No newline at end of file
diff --git a/pkg/plugins/backendplugin/secretsmanagerplugin/secretsmanager_grcp_plugin.go b/pkg/plugins/backendplugin/secretsmanagerplugin/secretsmanager_grcp_plugin.go
new file mode 100644
index 00000000000..6be57d4bc42
--- /dev/null
+++ b/pkg/plugins/backendplugin/secretsmanagerplugin/secretsmanager_grcp_plugin.go
@@ -0,0 +1,56 @@
+package secretsmanagerplugin
+
+import (
+	"context"
+
+	"github.com/hashicorp/go-plugin"
+	"google.golang.org/grpc"
+)
+
+type SecretsManagerPlugin interface {
+	RemoteSecretsManagerClient
+}
+
+type SecretsManagerGRPCPlugin struct {
+	plugin.NetRPCUnsupportedPlugin
+}
+
+func (p *SecretsManagerGRPCPlugin) GRPCServer(broker *plugin.GRPCBroker, s *grpc.Server) error {
+	return nil
+}
+
+func (p *SecretsManagerGRPCPlugin) GRPCClient(ctx context.Context, broker *plugin.GRPCBroker, c *grpc.ClientConn) (interface{}, error) {
+	return &SecretsManagerGRPCClient{NewRemoteSecretsManagerClient(c)}, nil
+}
+
+type SecretsManagerGRPCClient struct {
+	RemoteSecretsManagerClient
+}
+
+// Get an item from the store
+func (sm *SecretsManagerGRPCClient) Get(ctx context.Context, req *SecretsGetRequest, opts ...grpc.CallOption) (*SecretsGetResponse, error) {
+	return sm.RemoteSecretsManagerClient.Get(ctx, req)
+}
+
+// Set an item in the store
+func (sm *SecretsManagerGRPCClient) Set(ctx context.Context, req *SecretsSetRequest, opts ...grpc.CallOption) (*SecretsErrorResponse, error) {
+	return sm.RemoteSecretsManagerClient.Set(ctx, req)
+}
+
+// Del deletes an item from the store.
+func (sm *SecretsManagerGRPCClient) Del(ctx context.Context, req *SecretsDelRequest, opts ...grpc.CallOption) (*SecretsErrorResponse, error) {
+	return sm.RemoteSecretsManagerClient.Del(ctx, req)
+}
+
+// Keys get all keys for a given namespace.
+func (sm *SecretsManagerGRPCClient) Keys(ctx context.Context, req *SecretsKeysRequest, opts ...grpc.CallOption) (*SecretsKeysResponse, error) {
+	return sm.RemoteSecretsManagerClient.Keys(ctx, req)
+}
+
+// Rename an item in the store
+func (sm *SecretsManagerGRPCClient) Rename(ctx context.Context, req *SecretsRenameRequest, opts ...grpc.CallOption) (*SecretsErrorResponse, error) {
+	return sm.RemoteSecretsManagerClient.Rename(ctx, req)
+}
+
+var _ RemoteSecretsManagerClient = &SecretsManagerGRPCClient{}
+var _ plugin.GRPCPlugin = &SecretsManagerGRPCPlugin{}
diff --git a/pkg/plugins/backendplugin/secretsmanagerplugin/secretsmanager_grpc.pb.go b/pkg/plugins/backendplugin/secretsmanagerplugin/secretsmanager_grpc.pb.go
new file mode 100644
index 00000000000..9d0459c8971
--- /dev/null
+++ b/pkg/plugins/backendplugin/secretsmanagerplugin/secretsmanager_grpc.pb.go
@@ -0,0 +1,249 @@
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// versions:
+// - protoc-gen-go-grpc v1.2.0
+// - protoc             v3.19.4
+// source: secretsmanager.proto
+
+package secretsmanagerplugin
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.32.0 or later.
+const _ = grpc.SupportPackageIsVersion7
+
+// RemoteSecretsManagerClient is the client API for RemoteSecretsManager service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type RemoteSecretsManagerClient interface {
+	Get(ctx context.Context, in *SecretsGetRequest, opts ...grpc.CallOption) (*SecretsGetResponse, error)
+	Set(ctx context.Context, in *SecretsSetRequest, opts ...grpc.CallOption) (*SecretsErrorResponse, error)
+	Del(ctx context.Context, in *SecretsDelRequest, opts ...grpc.CallOption) (*SecretsErrorResponse, error)
+	Keys(ctx context.Context, in *SecretsKeysRequest, opts ...grpc.CallOption) (*SecretsKeysResponse, error)
+	Rename(ctx context.Context, in *SecretsRenameRequest, opts ...grpc.CallOption) (*SecretsErrorResponse, error)
+}
+
+type remoteSecretsManagerClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewRemoteSecretsManagerClient(cc grpc.ClientConnInterface) RemoteSecretsManagerClient {
+	return &remoteSecretsManagerClient{cc}
+}
+
+func (c *remoteSecretsManagerClient) Get(ctx context.Context, in *SecretsGetRequest, opts ...grpc.CallOption) (*SecretsGetResponse, error) {
+	out := new(SecretsGetResponse)
+	err := c.cc.Invoke(ctx, "/secretsmanagerplugin.RemoteSecretsManager/Get", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *remoteSecretsManagerClient) Set(ctx context.Context, in *SecretsSetRequest, opts ...grpc.CallOption) (*SecretsErrorResponse, error) {
+	out := new(SecretsErrorResponse)
+	err := c.cc.Invoke(ctx, "/secretsmanagerplugin.RemoteSecretsManager/Set", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *remoteSecretsManagerClient) Del(ctx context.Context, in *SecretsDelRequest, opts ...grpc.CallOption) (*SecretsErrorResponse, error) {
+	out := new(SecretsErrorResponse)
+	err := c.cc.Invoke(ctx, "/secretsmanagerplugin.RemoteSecretsManager/Del", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *remoteSecretsManagerClient) Keys(ctx context.Context, in *SecretsKeysRequest, opts ...grpc.CallOption) (*SecretsKeysResponse, error) {
+	out := new(SecretsKeysResponse)
+	err := c.cc.Invoke(ctx, "/secretsmanagerplugin.RemoteSecretsManager/Keys", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *remoteSecretsManagerClient) Rename(ctx context.Context, in *SecretsRenameRequest, opts ...grpc.CallOption) (*SecretsErrorResponse, error) {
+	out := new(SecretsErrorResponse)
+	err := c.cc.Invoke(ctx, "/secretsmanagerplugin.RemoteSecretsManager/Rename", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// RemoteSecretsManagerServer is the server API for RemoteSecretsManager service.
+// All implementations must embed UnimplementedRemoteSecretsManagerServer
+// for forward compatibility
+type RemoteSecretsManagerServer interface {
+	Get(context.Context, *SecretsGetRequest) (*SecretsGetResponse, error)
+	Set(context.Context, *SecretsSetRequest) (*SecretsErrorResponse, error)
+	Del(context.Context, *SecretsDelRequest) (*SecretsErrorResponse, error)
+	Keys(context.Context, *SecretsKeysRequest) (*SecretsKeysResponse, error)
+	Rename(context.Context, *SecretsRenameRequest) (*SecretsErrorResponse, error)
+	mustEmbedUnimplementedRemoteSecretsManagerServer()
+}
+
+// UnimplementedRemoteSecretsManagerServer must be embedded to have forward compatible implementations.
+type UnimplementedRemoteSecretsManagerServer struct {
+}
+
+func (UnimplementedRemoteSecretsManagerServer) Get(context.Context, *SecretsGetRequest) (*SecretsGetResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Get not implemented")
+}
+func (UnimplementedRemoteSecretsManagerServer) Set(context.Context, *SecretsSetRequest) (*SecretsErrorResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Set not implemented")
+}
+func (UnimplementedRemoteSecretsManagerServer) Del(context.Context, *SecretsDelRequest) (*SecretsErrorResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Del not implemented")
+}
+func (UnimplementedRemoteSecretsManagerServer) Keys(context.Context, *SecretsKeysRequest) (*SecretsKeysResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Keys not implemented")
+}
+func (UnimplementedRemoteSecretsManagerServer) Rename(context.Context, *SecretsRenameRequest) (*SecretsErrorResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Rename not implemented")
+}
+func (UnimplementedRemoteSecretsManagerServer) mustEmbedUnimplementedRemoteSecretsManagerServer() {}
+
+// UnsafeRemoteSecretsManagerServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to RemoteSecretsManagerServer will
+// result in compilation errors.
+type UnsafeRemoteSecretsManagerServer interface {
+	mustEmbedUnimplementedRemoteSecretsManagerServer()
+}
+
+func RegisterRemoteSecretsManagerServer(s grpc.ServiceRegistrar, srv RemoteSecretsManagerServer) {
+	s.RegisterService(&RemoteSecretsManager_ServiceDesc, srv)
+}
+
+func _RemoteSecretsManager_Get_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SecretsGetRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(RemoteSecretsManagerServer).Get(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/secretsmanagerplugin.RemoteSecretsManager/Get",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(RemoteSecretsManagerServer).Get(ctx, req.(*SecretsGetRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _RemoteSecretsManager_Set_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SecretsSetRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(RemoteSecretsManagerServer).Set(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/secretsmanagerplugin.RemoteSecretsManager/Set",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(RemoteSecretsManagerServer).Set(ctx, req.(*SecretsSetRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _RemoteSecretsManager_Del_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SecretsDelRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(RemoteSecretsManagerServer).Del(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/secretsmanagerplugin.RemoteSecretsManager/Del",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(RemoteSecretsManagerServer).Del(ctx, req.(*SecretsDelRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _RemoteSecretsManager_Keys_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SecretsKeysRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(RemoteSecretsManagerServer).Keys(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/secretsmanagerplugin.RemoteSecretsManager/Keys",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(RemoteSecretsManagerServer).Keys(ctx, req.(*SecretsKeysRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _RemoteSecretsManager_Rename_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SecretsRenameRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(RemoteSecretsManagerServer).Rename(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/secretsmanagerplugin.RemoteSecretsManager/Rename",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(RemoteSecretsManagerServer).Rename(ctx, req.(*SecretsRenameRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// RemoteSecretsManager_ServiceDesc is the grpc.ServiceDesc for RemoteSecretsManager service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var RemoteSecretsManager_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "secretsmanagerplugin.RemoteSecretsManager",
+	HandlerType: (*RemoteSecretsManagerServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "Get",
+			Handler:    _RemoteSecretsManager_Get_Handler,
+		},
+		{
+			MethodName: "Set",
+			Handler:    _RemoteSecretsManager_Set_Handler,
+		},
+		{
+			MethodName: "Del",
+			Handler:    _RemoteSecretsManager_Del_Handler,
+		},
+		{
+			MethodName: "Keys",
+			Handler:    _RemoteSecretsManager_Keys_Handler,
+		},
+		{
+			MethodName: "Rename",
+			Handler:    _RemoteSecretsManager_Rename_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "secretsmanager.proto",
+}
diff --git a/pkg/plugins/ifaces.go b/pkg/plugins/ifaces.go
index 4971b0913be..062cf8e9e95 100644
--- a/pkg/plugins/ifaces.go
+++ b/pkg/plugins/ifaces.go
@@ -47,6 +47,11 @@ type RendererManager interface {
 	Renderer() *Plugin
 }
 
+type SecretsPluginManager interface {
+	// SecretsManager returns a secretsmanager plugin
+	SecretsManager() *Plugin
+}
+
 type StaticRouteResolver interface {
 	Routes() []*StaticRoute
 }
diff --git a/pkg/plugins/manager/loader/initializer/initializer_test.go b/pkg/plugins/manager/loader/initializer/initializer_test.go
index 75052de0753..34fe5c96d9e 100644
--- a/pkg/plugins/manager/loader/initializer/initializer_test.go
+++ b/pkg/plugins/manager/loader/initializer/initializer_test.go
@@ -79,6 +79,36 @@ func TestInitializer_Initialize(t *testing.T) {
 		assert.NotNil(t, c)
 	})
 
+	t.Run("secretsmanager", func(t *testing.T) {
+		p := &plugins.Plugin{
+			JSONData: plugins.JSONData{
+				ID:   "test",
+				Type: plugins.SecretsManager,
+				Dependencies: plugins.Dependencies{
+					GrafanaVersion: ">=8.x",
+				},
+				Backend: true,
+			},
+			PluginDir: absCurPath,
+			Class:     plugins.External,
+		}
+
+		i := &Initializer{
+			cfg: plugins.NewCfg(),
+			log: log.NewNopLogger(),
+			backendProvider: &fakeBackendProvider{
+				plugin: p,
+			},
+		}
+
+		err := i.Initialize(context.Background(), p)
+		assert.NoError(t, err)
+
+		c, exists := p.Client()
+		assert.True(t, exists)
+		assert.NotNil(t, c)
+	})
+
 	t.Run("non backend plugin app", func(t *testing.T) {
 		p := &plugins.Plugin{
 			JSONData: plugins.JSONData{
diff --git a/pkg/plugins/manager/manager.go b/pkg/plugins/manager/manager.go
index db3f665c74a..f8c631655a1 100644
--- a/pkg/plugins/manager/manager.go
+++ b/pkg/plugins/manager/manager.go
@@ -24,6 +24,7 @@ var _ plugins.Client = (*PluginManager)(nil)
 var _ plugins.Store = (*PluginManager)(nil)
 var _ plugins.StaticRouteResolver = (*PluginManager)(nil)
 var _ plugins.RendererManager = (*PluginManager)(nil)
+var _ plugins.SecretsPluginManager = (*PluginManager)(nil)
 
 type PluginManager struct {
 	cfg             *plugins.Cfg
@@ -117,6 +118,16 @@ func (m *PluginManager) Renderer() *plugins.Plugin {
 	return nil
 }
 
+func (m *PluginManager) SecretsManager() *plugins.Plugin {
+	for _, p := range m.availablePlugins(context.TODO()) {
+		if p.IsSecretsManager() {
+			return p
+		}
+	}
+
+	return nil
+}
+
 func (m *PluginManager) Routes() []*plugins.StaticRoute {
 	staticRoutes := make([]*plugins.StaticRoute, 0)
 
diff --git a/pkg/plugins/plugins.go b/pkg/plugins/plugins.go
index 04cd731ddf4..dd17aae8501 100644
--- a/pkg/plugins/plugins.go
+++ b/pkg/plugins/plugins.go
@@ -10,6 +10,7 @@ import (
 	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin"
 	"github.com/grafana/grafana/pkg/plugins/backendplugin/pluginextensionv2"
+	"github.com/grafana/grafana/pkg/plugins/backendplugin/secretsmanagerplugin"
 )
 
 type Plugin struct {
@@ -36,9 +37,10 @@ type Plugin struct {
 	Module  string
 	BaseURL string
 
-	Renderer pluginextensionv2.RendererPlugin
-	client   backendplugin.Plugin
-	log      log.Logger
+	Renderer       pluginextensionv2.RendererPlugin
+	SecretsManager secretsmanagerplugin.SecretsManagerPlugin
+	client         backendplugin.Plugin
+	log            log.Logger
 }
 
 type PluginDTO struct {
@@ -132,7 +134,7 @@ type JSONData struct {
 	Streaming    bool            `json:"streaming"`
 	SDK          bool            `json:"sdk,omitempty"`
 
-	// Backend (Datasource + Renderer)
+	// Backend (Datasource + Renderer + SecretsManager)
 	Executable string `json:"executable,omitempty"`
 }
 
@@ -347,6 +349,10 @@ func (p *Plugin) IsRenderer() bool {
 	return p.Type == "renderer"
 }
 
+func (p *Plugin) IsSecretsManager() bool {
+	return p.Type == "secretsmanager"
+}
+
 func (p *Plugin) IsDataSource() bool {
 	return p.Type == "datasource"
 }
@@ -384,20 +390,22 @@ var PluginTypes = []Type{
 	Panel,
 	App,
 	Renderer,
+	SecretsManager,
 }
 
 type Type string
 
 const (
-	DataSource Type = "datasource"
-	Panel      Type = "panel"
-	App        Type = "app"
-	Renderer   Type = "renderer"
+	DataSource     Type = "datasource"
+	Panel          Type = "panel"
+	App            Type = "app"
+	Renderer       Type = "renderer"
+	SecretsManager Type = "secretsmanager"
 )
 
 func (pt Type) IsValid() bool {
 	switch pt {
-	case DataSource, Panel, App, Renderer:
+	case DataSource, Panel, App, Renderer, SecretsManager:
 		return true
 	}
 	return false
diff --git a/pkg/server/wire.go b/pkg/server/wire.go
index cd863c600fd..39c9ed81824 100644
--- a/pkg/server/wire.go
+++ b/pkg/server/wire.go
@@ -149,6 +149,7 @@ var wireBasicSet = wire.NewSet(
 	wire.Bind(new(plugins.DashboardFileStore), new(*manager.PluginManager)),
 	wire.Bind(new(plugins.StaticRouteResolver), new(*manager.PluginManager)),
 	wire.Bind(new(plugins.RendererManager), new(*manager.PluginManager)),
+	wire.Bind(new(plugins.SecretsPluginManager), new(*manager.PluginManager)),
 	coreplugin.ProvideCoreRegistry,
 	loader.ProvideService,
 	wire.Bind(new(loader.Service), new(*loader.Loader)),
diff --git a/pkg/server/wireexts_oss.go b/pkg/server/wireexts_oss.go
index 14b31878738..3551ae5b563 100644
--- a/pkg/server/wireexts_oss.go
+++ b/pkg/server/wireexts_oss.go
@@ -31,6 +31,7 @@ import (
 	"github.com/grafana/grafana/pkg/services/provisioning"
 	"github.com/grafana/grafana/pkg/services/searchusers"
 	"github.com/grafana/grafana/pkg/services/searchusers/filters"
+	secretsStore "github.com/grafana/grafana/pkg/services/secrets/kvstore"
 	"github.com/grafana/grafana/pkg/services/sqlstore/migrations"
 	"github.com/grafana/grafana/pkg/services/thumbs"
 	"github.com/grafana/grafana/pkg/services/validations"
@@ -85,6 +86,8 @@ var wireExtsBasicSet = wire.NewSet(
 	wire.Bind(new(registry.UsageStatsProvidersRegistry), new(*usagestatssvcs.UsageStatsProvidersRegistry)),
 	ossaccesscontrol.ProvideDatasourcePermissionsService,
 	wire.Bind(new(accesscontrol.DatasourcePermissionsService), new(*ossaccesscontrol.DatasourcePermissionsService)),
+	secretsStore.ProvideRemotePluginCheck,
+	wire.Bind(new(secretsStore.UseRemoteSecretsPluginCheck), new(*secretsStore.OSSRemoteSecretsPluginCheck)),
 )
 
 var wireExtsSet = wire.NewSet(
diff --git a/pkg/services/secrets/kvstore/kvstore.go b/pkg/services/secrets/kvstore/kvstore.go
index b438aec3c41..d314ea4d909 100644
--- a/pkg/services/secrets/kvstore/kvstore.go
+++ b/pkg/services/secrets/kvstore/kvstore.go
@@ -13,11 +13,26 @@ const (
 	AllOrganizations = -1
 )
 
-func ProvideService(sqlStore sqlstore.Store, secretsService secrets.Service) SecretsKVStore {
+func ProvideService(sqlStore sqlstore.Store, secretsService secrets.Service, remoteCheck UseRemoteSecretsPluginCheck) SecretsKVStore {
+	logger := log.New("secrets.kvstore")
+	if remoteCheck.ShouldUseRemoteSecretsPlugin() {
+		logger.Debug("secrets kvstore is using a remote plugin for secrets management")
+		secretsPlugin, err := remoteCheck.GetPlugin()
+		if err != nil {
+			logger.Error("plugin client was nil, falling back to SQL implementation")
+		} else {
+			return &secretsKVStorePlugin{
+				secretsPlugin:  secretsPlugin,
+				secretsService: secretsService,
+				log:            logger,
+			}
+		}
+	}
+	logger.Debug("secrets kvstore is using the default (SQL) implementation for secrets management")
 	return &secretsKVStoreSQL{
 		sqlStore:       sqlStore,
 		secretsService: secretsService,
-		log:            log.New("secrets.kvstore"),
+		log:            logger,
 		decryptionCache: decryptionCache{
 			cache: make(map[int64]cachedDecrypted),
 		},
diff --git a/pkg/services/secrets/kvstore/remote_plugin.go b/pkg/services/secrets/kvstore/remote_plugin.go
new file mode 100644
index 00000000000..97222e646e9
--- /dev/null
+++ b/pkg/services/secrets/kvstore/remote_plugin.go
@@ -0,0 +1,125 @@
+package kvstore
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/grafana/grafana/pkg/infra/log"
+	smp "github.com/grafana/grafana/pkg/plugins/backendplugin/secretsmanagerplugin"
+	"github.com/grafana/grafana/pkg/services/secrets"
+)
+
+// secretsKVStorePlugin provides a key/value store backed by the Grafana plugin gRPC interface
+type secretsKVStorePlugin struct {
+	log            log.Logger
+	secretsPlugin  smp.SecretsManagerPlugin
+	secretsService secrets.Service
+}
+
+// Get an item from the store
+func (kv *secretsKVStorePlugin) Get(ctx context.Context, orgId int64, namespace string, typ string) (string, bool, error) {
+	req := &smp.SecretsGetRequest{
+		KeyDescriptor: &smp.Key{
+			OrgId:     orgId,
+			Namespace: namespace,
+			Type:      typ,
+		},
+	}
+	res, err := kv.secretsPlugin.Get(ctx, req)
+	if err != nil {
+		return "", false, err
+	} else if res.Error != "" {
+		err = fmt.Errorf(res.Error)
+	}
+
+	return res.DecryptedValue, res.Exists, err
+}
+
+// Set an item in the store
+func (kv *secretsKVStorePlugin) Set(ctx context.Context, orgId int64, namespace string, typ string, value string) error {
+	req := &smp.SecretsSetRequest{
+		KeyDescriptor: &smp.Key{
+			OrgId:     orgId,
+			Namespace: namespace,
+			Type:      typ,
+		},
+		Value: value,
+	}
+
+	res, err := kv.secretsPlugin.Set(ctx, req)
+	if err == nil && res.Error != "" {
+		err = fmt.Errorf(res.Error)
+	}
+
+	return err
+}
+
+// Del deletes an item from the store.
+func (kv *secretsKVStorePlugin) Del(ctx context.Context, orgId int64, namespace string, typ string) error {
+	req := &smp.SecretsDelRequest{
+		KeyDescriptor: &smp.Key{
+			OrgId:     orgId,
+			Namespace: namespace,
+			Type:      typ,
+		},
+	}
+
+	res, err := kv.secretsPlugin.Del(ctx, req)
+	if err == nil && res.Error != "" {
+		err = fmt.Errorf(res.Error)
+	}
+
+	return err
+}
+
+// Keys get all keys for a given namespace. To query for all
+// organizations the constant 'kvstore.AllOrganizations' can be passed as orgId.
+func (kv *secretsKVStorePlugin) Keys(ctx context.Context, orgId int64, namespace string, typ string) ([]Key, error) {
+	req := &smp.SecretsKeysRequest{
+		KeyDescriptor: &smp.Key{
+			OrgId:     orgId,
+			Namespace: namespace,
+			Type:      typ,
+		},
+		AllOrganizations: orgId == AllOrganizations,
+	}
+
+	res, err := kv.secretsPlugin.Keys(ctx, req)
+	if err != nil {
+		return nil, err
+	} else if res.Error != "" {
+		err = fmt.Errorf(res.Error)
+	}
+
+	return parseKeys(res.Keys), err
+}
+
+// Rename an item in the store
+func (kv *secretsKVStorePlugin) Rename(ctx context.Context, orgId int64, namespace string, typ string, newNamespace string) error {
+	req := &smp.SecretsRenameRequest{
+		KeyDescriptor: &smp.Key{
+			OrgId:     orgId,
+			Namespace: namespace,
+			Type:      typ,
+		},
+		NewNamespace: newNamespace,
+	}
+
+	res, err := kv.secretsPlugin.Rename(ctx, req)
+	if err == nil && res.Error != "" {
+		err = fmt.Errorf(res.Error)
+	}
+
+	return err
+}
+
+func parseKeys(keys []*smp.Key) []Key {
+	var newKeys []Key
+
+	for _, k := range keys {
+		newKey := Key{OrgId: k.OrgId, Namespace: k.Namespace, Type: k.Type}
+		newKeys = append(newKeys, newKey)
+	}
+
+	return newKeys
+}
diff --git a/pkg/services/secrets/kvstore/remote_plugin_check.go b/pkg/services/secrets/kvstore/remote_plugin_check.go
new file mode 100644
index 00000000000..657f705d0b0
--- /dev/null
+++ b/pkg/services/secrets/kvstore/remote_plugin_check.go
@@ -0,0 +1,26 @@
+package kvstore
+
+import (
+	"github.com/grafana/grafana/pkg/plugins/backendplugin/secretsmanagerplugin"
+)
+
+type UseRemoteSecretsPluginCheck interface {
+	ShouldUseRemoteSecretsPlugin() bool
+	GetPlugin() (secretsmanagerplugin.SecretsManagerPlugin, error)
+}
+
+type OSSRemoteSecretsPluginCheck struct {
+	UseRemoteSecretsPluginCheck
+}
+
+func ProvideRemotePluginCheck() *OSSRemoteSecretsPluginCheck {
+	return &OSSRemoteSecretsPluginCheck{}
+}
+
+func (c *OSSRemoteSecretsPluginCheck) ShouldUseRemoteSecretsPlugin() bool {
+	return false
+}
+
+func (c *OSSRemoteSecretsPluginCheck) GetPlugin() (secretsmanagerplugin.SecretsManagerPlugin, error) {
+	return nil, nil
+}