Secrets Management: Keeping Credentials Safe
Secrets are any sensitive credentials that grant access to systems: API keys, database passwords, private keys, OAuth client secrets, and service account credentials. How you store, manage, and rotate these secrets is one of the most critical security practices in software development.
What Not to Do
- Never hardcode secrets in source code: Code is frequently shared, versioned, and stored in repositories. Secrets committed to Git persist in history even after deletion.
- Never store secrets in plaintext config files: Application config files are frequently backed up, shared, and logged.
- Never share secrets via email or messaging apps: These channels are not designed for secure credential sharing.
How We Manage Secrets
- Environment variables: Secrets injected at runtime as environment variables — not stored in code
- Secrets managers: AWS Secrets Manager, Azure Key Vault, HashiCorp Vault — centralised, audited, versioned, and with automatic rotation capabilities
- Encrypted secret scanning: CI/CD pipelines include secret scanning (GitHub Secret Scanning, Gitleaks) that blocks commits containing apparent secrets
- Principle of least privilege: Each service has its own credentials with access to only what it needs — not shared credentials
Secret Rotation
Secrets should be rotated regularly and immediately after any suspected compromise. We design systems that support zero-downtime secret rotation — critical credentials can be rotated without taking the application offline.