Secrets Management

Secrets management is the secure storage, access control, and rotation of sensitive credentials like API keys, passwords, certificates, and tokens.

Secrets management ensures credentials and sensitive data are protected throughout their lifecycle.

Types of secrets: - API keys and tokens - Database credentials - SSH keys - Certificates and private keys - Encryption keys - Service account passwords

Secrets management tools: - HashiCorp Vault - AWS Secrets Manager, Azure Key Vault, GCP Secret Manager - CyberArk, 1Password Teams - Doppler, Infisical

Best practices: - Never store secrets in code - Rotate secrets regularly - Use dynamic/temporary credentials - Audit secret access - Encrypt secrets at rest

Why It Matters

Hardcoded secrets in source code are one of the most common and dangerous security findings—a single exposed API key in a public repository can lead to a full data breach within hours. Proper secrets management with centralized storage, access controls, rotation, and audit logging is a foundational security control. Auditors will specifically check for secrets in code repositories and ask about your secrets management practices.

Key Points

Never commit secrets to version control

Use secrets manager instead of environment files

Rotate secrets regularly (at least annually)

Audit who accesses which secrets

Dynamic secrets reduce exposure

Applicable Compliance Frameworks

SOC 2 ISO 27001 PCI DSS

Related Terms

Key Management

Key management encompasses the policies and procedures for generating, storing, distributing, rotating, and destroying cryptographic keys used for encryption.

Access Control

Access control is a security mechanism that regulates who can view or use resources in a computing environment, ensuring only authorized users can access systems and data.

Encryption at Rest

Encryption at rest protects data stored on disks, databases, or storage systems by converting it to an unreadable format that requires a key to decrypt.