Secrets Management Best Practices

Comprehensive guide based on HashiCorp's 5 principles of secrets management and industry-proven security practices for protecting sensitive data.

The 5 Pillars of Secrets Management

Based on HashiCorp's industry-leading security framework

1. Central Secrets Control Plane

Centralize all secret management in one secure location instead of scattering secrets across multiple systems and files.

Key Benefits:

  • Single source of truth for all secrets
  • Consistent security policies across applications
  • Simplified audit and compliance reporting
  • Reduced risk of secret sprawl

Common Tools:

HashiCorp Vault
AWS Secrets Manager
Azure Key Vault
Kubernetes Secrets

Implementation Example:

Code Example

// Using a centralized secrets manager
const vault = require('node-vault')({
  apiVersion: 'v1',
  endpoint: process.env.VAULT_ADDR,
  token: process.env.VAULT_TOKEN
});

// Retrieve secrets from central location
const dbSecrets = await vault.read('secret/database');
const apiKeys = await vault.read('secret/api-keys');

2. Access Control Lists (ACLs)

Implement granular access controls to ensure only authorized users and applications can access specific secrets.

Key Benefits:

  • Principle of least privilege enforcement
  • Reduced blast radius of compromises
  • Compliance with security frameworks
  • Audit trail of secret access

Common Tools:

Role-based access (RBAC)
Team-based permissions
Application-specific access
Environment separation

Implementation Example:

Code Example

// Example Vault policy for ACL
path "secret/database/*" {
  capabilities = ["read"]
}

path "secret/api-keys/payment/*" {
  capabilities = ["read", "list"]
}

# Only senior developers can write secrets
path "secret/*" {
  capabilities = ["create", "update", "delete"]
  allowed_parameters = {
    "ttl" = ["1h", "24h", "168h"]
  }
}

3. Dynamic Secrets

Generate short-lived, automatically rotating secrets instead of using long-lived static credentials.

Key Benefits:

  • Automatic credential rotation
  • Reduced window of compromise
  • No manual secret management
  • Improved security posture

Common Tools:

Database credentials
Cloud service tokens
SSH certificates
API tokens with TTL

Implementation Example:

Code Example

// Dynamic database credentials
const dbCreds = await vault.read('database/creds/readonly');

// Credentials are automatically generated and expire
const connection = {
  host: 'database.company.com',
  username: dbCreds.data.username,  // auto-generated
  password: dbCreds.data.password,  // auto-generated
  lease_duration: dbCreds.lease_duration // 1 hour TTL
};

// Vault automatically rotates and cleans up expired creds

4. Encryption as a Service

Use dedicated encryption services for data protection instead of managing encryption keys and algorithms yourself.

Key Benefits:

  • Centralized key management
  • Hardware security modules (HSM)
  • Compliance with regulations
  • Simplified encryption workflows

Common Tools:

Vault Transit Engine
AWS KMS
Azure Key Vault Encryption
Google Cloud KMS

Implementation Example:

Code Example

// Using Vault's encryption service
const plaintext = "sensitive user data";

// Encrypt data using Vault's encryption service
const encrypted = await vault.write('transit/encrypt/customer-data', {
  plaintext: Buffer.from(plaintext).toString('base64')
});

// Decrypt when needed
const decrypted = await vault.write('transit/decrypt/customer-data', {
  ciphertext: encrypted.data.ciphertext
});

5. Auditing

Maintain comprehensive logs of all secret access, modifications, and usage for security monitoring and compliance.

Key Benefits:

  • Complete audit trail
  • Compliance reporting
  • Security incident response
  • Anomaly detection

Common Tools:

Access logs
Modification tracking
Failed access attempts
Policy violations

Implementation Example:

Code Example

// Example audit log entry
{
  "time": "2023-11-03T10:30:00Z",
  "type": "request",
  "auth": {
    "client_token": "hmac-sha256:...",
    "accessor": "hmac-sha256:...",
    "display_name": "api-service",
    "policies": ["api-policy"]
  },
  "request": {
    "operation": "read",
    "path": "secret/database/credentials",
    "remote_address": "10.0.0.15"
  },
  "response": {
    "status": 200
  }
}

Implementation Roadmap

Choose your starting point based on your organization's size and security requirements

Starter

Level 1

Basic security for small teams and projects

Key Practices:

  • Use .env files with proper .gitignore
  • Environment variable validation
  • Different secrets per environment
  • Basic secret documentation

Recommended Tools:

dotenv
env-cmd
cross-env

Professional

Level 2

Enhanced security for growing applications

Key Practices:

  • Cloud provider secret managers
  • Automated secret rotation
  • Access logging and monitoring
  • Secret scanning in CI/CD

Recommended Tools:

AWS Secrets Manager
Azure Key Vault
GitHub Secret Scanning

Enterprise

Level 3

Advanced security for large organizations

Key Practices:

  • HashiCorp Vault implementation
  • Dynamic secret generation
  • Fine-grained access controls
  • Compliance audit trails

Recommended Tools:

HashiCorp Vault
CyberArk
Kubernetes Secrets CSI

Common Mistakes to Avoid

Using the same secrets across environments

high

Solution: Use different secrets for development, staging, and production

Storing secrets in configuration files

critical

Solution: Keep configuration and secrets separate

No secret rotation policy

medium

Solution: Implement regular secret rotation schedules

Overprivileged access to secrets

high

Solution: Apply principle of least privilege

No monitoring of secret access

medium

Solution: Implement comprehensive audit logging

Operating Model

Secrets Owner

  • Defines policy, rotation cadence, and tooling
  • Approves new secret creation and deletion
  • Coordinates cross-team adoption

Platform Engineer

  • Implements automation and integrations
  • Maintains CI/CD secret distribution
  • Monitors for drift and regressions

Application Team

  • Consumes secrets following documented practices
  • Flags new secret requirements early
  • Participates in rotation drills

Security & Compliance

  • Conducts periodic audits and tabletop exercises
  • Responds to incidents and ensures evidence capture
  • Reports posture to leadership

Audit Readiness Checklist

  • Every secret has an owner and documented purpose
  • Rotation dates are logged and within policy
  • Access control lists align with least privilege
  • Alerts exist for anomalous secret usage
  • Backups and recovery procedures are tested

Communication Plan

  • Slack channel and email alias for secret incidents
  • Runbook stored in shared knowledge base
  • Quarterly lunch-and-learn reviewing new tooling
  • Onboarding checklist covering secrets hygiene
  • Offboarding checklist ensuring access revocation

Key Success Metrics

  • Mean time to rotate credentials after detection
  • Number of secrets with undefined owners
  • Percentage of services using managed secret stores
  • Incidents caused by secrets in the last quarter
  • Audit findings resolved within SLA

Additional Resources

Environment VariablesBack to Home