Secret Rotation
Learn how to set up automated secret rotation in Infisical.
Introduction
Secret rotation is a security best practice that involves systematically updating credentials and access tokens at regular intervals to minimize the risk of compromise. By proactively replacing existing secrets with new ones, organizations reduce the potential impact of credential theft or leakage.
Examples of rotated secrets include:
- API keys and authentication tokens for cloud services and third-party integrations
- Database credentials across production, staging, and development environments
How Rotation Works
Secret Rotation systematically replaces secrets at regular intervals while ensuring zero downtime for your applications. This overlapping lifecycle approach maintains continuous availability while enhancing your security posture.
Visual Timeline
Credential States
Each set of credentials transitions through three distinct states:
-
Active: The primary credentials that will be used for new connections
-
Inactive: These credentials are still valid but are no longer issued for new connections
Some rotation providers utilize a single credential set due to technical constraints. As a result, inactive credentials for these providers will immediately become invalid once rotated.
To avoid service interruptions, Infisical recommends manually rotating these credentials to prevent downtime.
-
Revoked: Permanently invalidated and deleted from the system
Rotation Cycle Example (30-Day Interval)
Using a 30-Day rotation interval as an example, here’s how the process unfolds:
-
Day 0
Credential set 1is issued and set to Active- Applications begin using this set for authentication
-
Day 30
Credential set 2is issued and set to ActiveCredential set 1transitions to Inactive but remains valid- New connections utilize set 2 while existing connections with set 1 continue to work
This overlapping validity period ensures that at any point during the active period of a credential set, you are guaranteed that retrieved credentials will be valid for the specified rotation period.
-
Day 60
Credential set 3is issued and set to ActiveCredential set 2transitions to Inactive but remains validCredential set 1is Revoked and securely deleted- By now, all applications should have transitioned to using set 2 or 3
-
Day 90
Credential set 4is issued and set to ActiveCredential set 3transitions to Inactive but remains validCredential set 2is Revoked and securely deleted- The cycle continues…
Benefits of This Approach
- Zero Downtime: Applications always have valid credentials
- Grace Period: The inactive period gives applications time to update to new credentials
- Reduced Risk: Credentials are regularly cycled, limiting the impact of potential compromise
- Predictable Schedule: Makes credential management more systematic and easier to automate
Implementation Considerations
- Choose a rotation interval appropriate for your security requirements and operational needs
- Ensure your applications can handle credential updates gracefully
- Monitor for applications still using credentials nearing revocation
Infisical Secret Rotation Strategies
FAQ
Why do certain rotations only use a single credential set?
Why do certain rotations only use a single credential set?
Some credential providers have limitations that affect rotation patterns:
- The third-party provider’s API only supports managing one active credential set at a time
- The specific use-case (such as personal login accounts) is inherently limited to a single active credential
In either scenario, when service continuity is critical, Infisical recommends disabling auto-rotation and performing manual credential rotation during scheduled maintenance windows.