Swapps
SecretsEncryptionCompliance

Secrets Management: Centralization, Encryption, and Rotation

11 min read
Secrets sprawl is one of the most common and damaging security failures: API keys in committed .env files, database passwords pasted into chat, credentials shared by hand and never rotated. A secrets-management discipline replaces that sprawl with a single source of truth — encrypted at rest, injected at runtime, access-controlled, and audited. This guide covers the principles and the operational habits that keep credentials safe over time.

One Source of Truth, Injected at Runtime

Application secrets should live in a dedicated secrets manager, not in the repository, the CI configuration, or a teammate's laptop. Applications and pipelines pull secrets at runtime from the manager — scoped per environment (dev, staging, production) so a development credential can never reach production. This makes access revocable and auditable, and removes secrets from places they are easily copied or leaked.

  • Store secrets in a managed system, never in committed files or chat
  • Scope secrets per environment so dev credentials cannot touch production
  • Inject at runtime; do not bake secrets into images or build artifacts
  • Restrict and log read access — every fetch should be attributable

Encrypt the Config That Must Live in Git

Some configuration genuinely belongs in version control — Kubernetes manifests, infrastructure-as-code, environment files for GitOps. For those, encrypt the secret values in place so the repository never holds plaintext credentials. Tools that encrypt only the values (leaving keys readable) let you review diffs and keep GitOps workflows while ensuring a repo leak does not expose live secrets.

encrypt-secrets.sh
# Encrypt only the values in a secrets file before committing
# (keys stay readable so diffs remain reviewable)
sops --encrypt --in-place secrets.enc.yaml

# Decryption happens at deploy time, in memory only:
sops --decrypt secrets.enc.yaml | kubectl apply -f -
note

Encrypting values-in-place keeps your GitOps diffs meaningful while ensuring a leaked repository never exposes a usable credential.

Make Rotation Routine

A secret that never changes is a secret that will eventually leak and stay leaked. Define a rotation cadence for every credential class — shorter for high-value keys — and automate it where possible so rotation is a scheduled, low-drama event rather than a post-incident scramble. Track ownership and expiry so a departing teammate or an expiring token never becomes a silent outage or an open door.

  • Define and document a rotation cadence per credential type
  • Rotate immediately on any suspected exposure or teammate offboarding
  • Prefer short-lived, dynamically issued credentials over long-lived static keys
  • Alert ahead of token and certificate expiry to avoid surprise outages

Related Articles

Hardening CI/CD Pipelines and the Software Supply Chain

Lock down GitHub Actions and your build pipeline: pin actions to SHAs, scope tokens to least privilege, and keep secrets out of logs.

14 min read
CI/CDSupply ChainGitHub Actions

Zero Trust Access: Replacing the VPN and Closing Down SSH

Move from a flat, perimeter-based network to identity-aware access — closing public SSH and putting every internal service behind authenticated, audited policy.

12 min read
Zero TrustAccess ControlSSH

Container and Kubernetes Security Essentials

Practical defenses for containerized workloads: scan images, drop privileges, restrict pod-to-pod traffic, and scope RBAC to least privilege.

13 min read
KubernetesContainersHardening