Secret rotation is a process that involves updating secret credentials periodically to minimize the risk of their compromise. Rotating secrets helps prevent unauthorized access to systems and sensitive data by ensuring that old credentials are replaced with new ones regularly.

Rotated secrets may include, but are not limited to:

  1. API keys for external services;
  2. Database credentials for various platforms.

Rotation Process

The practice of rotating secrets is a systematic and interval-based operation, carried out in four fundamental phases.

1. Creation

The system initiates the rotation process by either making an API call to an external service or generating a new secret value internally. Upon successful creation, the system will temporarily have three versions of the secret:

  • Current active secret: The one currently in use.
  • Future active secret (pending): The newly created secret, awaiting validation.
  • Previous active secret: The old secret, soon to be retired.

2. Testing

The newly generated secret is subjected to a verification process to ensure its validity and functionality. This involves conducting checks or tests that simulate actual operations the secret would perform. Only the current active and the future active (pending) secrets are considered operational at this stage, while the previous active secret remains in standby mode.

3. Deletion

Post-verification, the system deactivates and deletes the previous active secret, leaving only the current and future active (pending) secrets in the system.

4. Activation

Finally, the system promotes the future active (pending) secret to be the new current active secret. It then triggers necessary side effects, such as invoking webhooks and generating events, to notify other services of the change.

Infisical Secret Rotation Strategies

  1. SendGrid Integration
  2. PostgreSQL/CockroachDB Implementation
  3. MySQL/MariaDB Configuration
  4. AWS IAM User