secrets-management

# Secrets Management

Comprehensive guide to managing secrets, credentials, and sensitive configuration - from storage to rotation to access control.

## When to Use This Skill

- Designing secret storage architecture
- Implementing secret rotation
- Integrating applications with secret stores
- Managing API keys, passwords, certificates
- Understanding Vault, AWS Secrets Manager, Azure Key Vault
- Zero-knowledge and envelope encryption patterns

## Secrets Management Fundamentals

### What Are Secrets?

```text
Types of Secrets:

Credentials:
├── Database passwords
├── API keys
├── OAuth client secrets
├── SSH private keys
└── Service account tokens

Certificates:
├── TLS certificates and private keys
├── Code signing certificates
├── Client certificates
└── CA certificates

Encryption Keys:
├── Data encryption keys (DEK)
├── Key encryption keys (KEK)
├── HMAC keys
└── Signing keys

Sensitive Configuration:
├── Connection strings
├── License keys
├── Webhook URLs with tokens
└── Third-party credentials
```

### Secrets Lifecycle

```text
Secret Lifecycle:

1. Generation
   └── Create with sufficient entropy
   └── Use cryptographic randomness
   └── Appropriate key length

2. Storage
   └── Encrypt at rest
   └── Access control
   └── Audit logging

3. Distribution
   └── Secure transport (TLS)
   └── Just-in-time access
   └── Minimize copies

4. Usage
   └── Memory protection
   └── Minimize exposure window
   └── Clear after use

5. Rotation
   └── Regular schedule
   └── Zero-downtime rotation
   └── Update all consumers

6. Revocation
   └── Immediate effect
   └── Propagate to all systems
   └── Audit trail

7. Destruction
   └── Secure deletion
   └── Verify removal
   └── Clear backups
```

## Architecture Patterns

### Centralized Secret Store

```text
Centralized Architecture:

┌─────────────────────────────────────────────────┐
│              Secret Store                        │
│  ┌─────────────────────────────────────────┐    │
│  │  • Encrypted stora