IT Knowledge DB

Secrets Management

1 min read

Secrets Management

Definition

Where and how sensitive values (passwords, API keys, private keys, tokens) are stored, accessed, and rotated. A secret that ends up in git, logs, or env dumps is compromised.

Core practices

  • No secrets in code / git — use .gitignore, scan with gitleaks / trufflehog
  • Least privilege — scope each secret to one service
  • Rotation — automatic, short-lived credentials beat long-lived ones
  • Audit — every access logged

Where it appears

🐧 Linux

  • systemd-creds — encrypted credentials per unit
  • gpg-agent / ssh-agent — in-memory key agents
  • /etc/shadow permissions (0000, root only)

☁️ Cloud

  • AWS — Secrets Manager (rotating), Parameter Store (cheap), KMS (the key under the key)
  • Azure — Key Vault (secrets, keys, certificates)
  • Instance roles — avoid long-lived keys entirely

📦 Containers

  • Kubernetes Secrets — base64-encoded, enable encryption-at-rest for etcd
  • External Secrets Operator — sync from Vault/AWS/Azure
  • SOPS / sealed-secrets — encrypted secrets in git

🔄 CI/CD

  • GitHub Actions secrets / OIDC — prefer OIDC federation over static secrets
  • Runner scope — org vs repo vs environment secrets

🔐 Cybersecurity

  • HashiCorp Vault — dynamic secrets, PKI, transit
  • SPIFFE/SPIRE — workload identity, short-lived SVIDs

See also

Graph View

Backlinks