Secret Rotation Overview
Secret rotation is a process that involves updating secret credentials periodically to minimize the risk of their compromise. Rotating secrets helps prevent unauthorized access to systems and sensitive data by ensuring that old credentials are replaced with new ones regularly.
Rotated secrets may include, but are not limited to:
- API keys for external services
- Database credentials for various platforms
The practice of rotating secrets is a systematic and interval-based operation, carried out in four fundamental phases.
The system initiates the rotation process by either making an API call to an external service or generating a new secret value internally. Upon successful creation, the system will temporarily have three versions of the secret:
- Current active secret: The one currently in use.
- Future active secret (pending): The newly created secret, awaiting validation.
- Previous active secret: The old secret, soon to be retired.
The newly generated secret is subjected to a verification process to ensure its validity and functionality. This involves conducting checks or tests that simulate actual operations the secret would perform. Only the current active and the future active (pending) secrets are considered operational at this stage, while the previous active secret remains in standby mode.
Post-verification, the system deactivates and deletes the previous active secret, leaving only the current and future active (pending) secrets in the system.
Finally, the system promotes the future active (pending) secret to be the new current active secret. It then triggers necessary side effects, such as invoking webhooks and generating events, to notify other services of the change.