Secrets Management Strategy

by @pitchinnate · 🔐 Security · 16d ago · 49 views

HashiCorp Vault and cloud secrets manager setup. Rotation policies, audit trails, and developer workflow.

security · 35 lines

# CLAUDE.md — Secrets Management

## What Counts as a Secret
- API keys and tokens
- Database credentials
- TLS private keys
- Encryption keys
- OAuth client secrets
- Webhook signing secrets

## Storage Rules
- No secrets in source code — ever
- No secrets in environment variable files committed to git
- No secrets in container images
- Use pre-commit hooks to detect accidental commits (git-secrets, gitleaks)

## HashiCorp Vault Setup
- KV v2 for static secrets (API keys, passwords)
- Dynamic secrets for database credentials (auto-rotate, short TTL)
- PKI secrets engine for certificate issuance
- AppRole authentication for services; OIDC for humans

## Rotation Policy
| Secret Type | Rotation Frequency |
|-------------|-------------------|
| Database passwords | 90 days (automated) |
| API keys (internal) | 180 days |
| API keys (external) | On compromise only |
| TLS certificates | 90 days (auto via ACME) |
| Encryption keys | Annual, with re-encryption |

## Developer Workflow
- Local dev: `direnv` + `.envrc` in `.gitignore`
- CI/CD: inject secrets from Vault at job start, never store in CI vars
- Never log secrets — mask in CI output

submitted March 18, 2026