Introduction

Secret rotation is a security best practice that involves systematically updating credentials and access tokens at regular intervals to minimize the risk of compromise. By proactively replacing existing secrets with new ones, organizations reduce the potential impact of credential theft or leakage.

Examples of rotated secrets include:

  • API keys and authentication tokens for cloud services and third-party integrations
  • Database credentials across production, staging, and development environments

How Rotation Works

Secret Rotation systematically replaces secrets at regular intervals while ensuring zero downtime for your applications. This overlapping lifecycle approach maintains continuous availability while enhancing your security posture.

Visual Timeline

Credential States

Each set of credentials transitions through three distinct states:

  • Active: The primary credentials that will be used for new connections

  • Inactive: These credentials are still valid but are no longer issued for new connections

    Some rotation providers utilize a single credential set due to technical constraints. As a result, inactive credentials for these providers will immediately become invalid once rotated.

    To avoid service interruptions, Infisical recommends manually rotating these credentials to prevent downtime.

  • Revoked: Permanently invalidated and deleted from the system

Rotation Cycle Example (30-Day Interval)

Using a 30-Day rotation interval as an example, here’s how the process unfolds:

  1. Day 0

    • Credential set 1 is issued and set to Active
    • Applications begin using this set for authentication

  2. Day 30

    • Credential set 2 is issued and set to Active
    • Credential set 1 transitions to Inactive but remains valid
    • New connections utilize set 2 while existing connections with set 1 continue to work

    This overlapping validity period ensures that at any point during the active period of a credential set, you are guaranteed that retrieved credentials will be valid for the specified rotation period.

  3. Day 60

    • Credential set 3 is issued and set to Active
    • Credential set 2 transitions to Inactive but remains valid
    • Credential set 1 is Revoked and securely deleted
    • By now, all applications should have transitioned to using set 2 or 3

  4. Day 90

    • Credential set 4 is issued and set to Active
    • Credential set 3 transitions to Inactive but remains valid
    • Credential set 2 is Revoked and securely deleted
    • The cycle continues…

Benefits of This Approach

  • Zero Downtime: Applications always have valid credentials
  • Grace Period: The inactive period gives applications time to update to new credentials
  • Reduced Risk: Credentials are regularly cycled, limiting the impact of potential compromise
  • Predictable Schedule: Makes credential management more systematic and easier to automate

Implementation Considerations

  • Choose a rotation interval appropriate for your security requirements and operational needs
  • Ensure your applications can handle credential updates gracefully
  • Monitor for applications still using credentials nearing revocation

Infisical Secret Rotation Strategies

FAQ