Secrets Management
The practice of securely storing, accessing, rotating, and auditing sensitive credentials like API keys, tokens, and passwords.
Description
Secrets management encompasses the tools, practices, and policies for handling sensitive credentials throughout their lifecycle. Secrets include API keys, database passwords, encryption keys, OAuth tokens, TLS certificates, and any other data that grants access to protected resources. Poor secrets management -- hardcoded credentials in source code, shared .env files, or unrotated keys -- is a leading cause of security breaches.
A mature secrets management strategy involves several components: a centralized secrets store (HashiCorp Vault, AWS Secrets Manager, Google Secret Manager, or Azure Key Vault) that provides encrypted storage with access control; dynamic secrets that are generated on demand and automatically expire; automatic rotation policies that limit the blast radius of compromised credentials; and comprehensive audit logs that track who accessed which secrets and when.
In development workflows, secrets should never appear in version control. Tools like git-secrets or pre-commit hooks can scan for accidentally committed credentials. Environment-specific secrets should be injected at runtime through environment variables or mounted secret files rather than baked into container images or deployment artifacts. In CI/CD pipelines, use the platform's built-in secrets management (GitHub Actions secrets, GitLab CI variables) with minimal scope and separate secrets per environment.
Prompt Snippet
Store all secrets in a dedicated secrets manager (HashiCorp Vault, AWS Secrets Manager, or Doppler) rather than .env files or application config. Inject secrets at runtime via environment variables or mounted volumes -- never bake them into Docker images or commit them to version control. Implement pre-commit hooks using git-secrets or gitleaks to prevent accidental credential commits. Configure automatic rotation with a maximum TTL of 90 days for API keys and 24 hours for dynamic database credentials. Use IAM roles and service accounts for cloud-to-cloud authentication instead of long-lived access keys.
Tags
Related Terms
Environment Variable Security
Practices for securely managing application configuration and secrets through environment variables without exposing them to unauthorized access.
Encryption at Rest
The practice of encrypting stored data so it remains unreadable without the appropriate decryption key, even if the storage medium is compromised.
Cryptographic Key Management
The practices and systems for generating, storing, distributing, rotating, and retiring cryptographic keys throughout their lifecycle.
Principle of Least Privilege
A security principle requiring that every user, process, and system component be granted only the minimum permissions necessary to perform its function.