Identity & Access Management

Secrets Management & Credential Storage

Secret sprawl — API keys, DB passwords, TLS keys, signing keys scattered across env vars, config files, CI logs, and source control — is one of the most common root causes of real-world breaches; centralized secrets managers and short-lived dynamic secrets are how mature systems contain it.
  • Secret sprawl (credentials scattered across env vars, config files, CI logs, and — worst of all — source control) is one of the most common root causes behind real-world breaches, precisely because it's so easy to accumulate without anyone deciding to
  • Dedicated secrets managers (HashiCorp Vault, AWS/GCP/Azure KMS) centralize storage, access control, and audit logging in one place, instead of every service inventing its own ad hoc handling
  • Envelope encryption: data is encrypted with a fast-to-rotate data encryption key (DEK); the DEK itself is encrypted with a rarely-rotated key-encryption key (KEK) held in a KMS/HSM — rotating the KEK re-wraps the DEKs, not the underlying data
  • Dynamic secrets are generated on demand, per client, with a short lifetime (e.g. a Vault-issued database credential valid for one hour) — they shrink the exposure window dramatically compared to a static password valid until someone remembers to rotate it
  • Rotation matters as much as storage: a securely-stored secret that's never rotated is still a long-lived liability the moment it leaks silently — and a leak is rarely announced
  • Secrets must never end up in source control, container images, or CI/CD logs — a secret committed to git remains recoverable from history even after a later commit deletes it; the fix is revoking the secret, not just removing the line
Envelope encryption
Rotating the KEK means re-wrapping the (small) DEKs, not re-encrypting the (potentially huge) underlying dataset
Static vs dynamic secrets
Static secretDynamic secret
LifetimeLong-lived, often indefiniteShort-lived, generated per request/lease
Exposure window if leakedUntil someone notices and rotates itMinutes to hours, then auto-expires
Rotation effortManual, often skipped in practiceAutomatic by design
RevocationRequires finding every place it was usedLease expiry or explicit revoke, scoped to one client
Sources
  • Zero Trust Networks (2nd ed.)Ch. 6 — Secrets and Credential Management
  • API Security in ActionCh. 5 — Protecting Credentials