Identity & Access Management
Secrets Management & Credential Storage
Secret sprawl — API keys, DB passwords, TLS keys, signing keys scattered across env vars, config files, CI logs, and source control — is one of the most common root causes of real-world breaches; centralized secrets managers and short-lived dynamic secrets are how mature systems contain it.
- Secret sprawl (credentials scattered across env vars, config files, CI logs, and — worst of all — source control) is one of the most common root causes behind real-world breaches, precisely because it's so easy to accumulate without anyone deciding to
- Dedicated secrets managers (HashiCorp Vault, AWS/GCP/Azure KMS) centralize storage, access control, and audit logging in one place, instead of every service inventing its own ad hoc handling
- Envelope encryption: data is encrypted with a fast-to-rotate data encryption key (DEK); the DEK itself is encrypted with a rarely-rotated key-encryption key (KEK) held in a KMS/HSM — rotating the KEK re-wraps the DEKs, not the underlying data
- Dynamic secrets are generated on demand, per client, with a short lifetime (e.g. a Vault-issued database credential valid for one hour) — they shrink the exposure window dramatically compared to a static password valid until someone remembers to rotate it
- Rotation matters as much as storage: a securely-stored secret that's never rotated is still a long-lived liability the moment it leaks silently — and a leak is rarely announced
- Secrets must never end up in source control, container images, or CI/CD logs — a secret committed to git remains recoverable from history even after a later commit deletes it; the fix is revoking the secret, not just removing the line
| Static secret | Dynamic secret | |
|---|---|---|
| Lifetime | Long-lived, often indefinite | Short-lived, generated per request/lease |
| Exposure window if leaked | Until someone notices and rotates it | Minutes to hours, then auto-expires |
| Rotation effort | Manual, often skipped in practice | Automatic by design |
| Revocation | Requires finding every place it was used | Lease expiry or explicit revoke, scoped to one client |