July 10, 20268 min readBy Infiniti Tech Partners
Secrets Management and Key Rotation: Stop Leaking Credentials

The most common serious breach isn't an exotic exploit — it's a leaked credential. An API key committed to a repo, a database password in a Slack message, a long-lived cloud key on a laptop that got stolen. Secrets are the keys to your kingdom, and most growth-stage companies manage them far more casually than the damage warrants: a .env file passed around, credentials hardcoded 'temporarily,' keys that were issued at founding and never changed. Secrets management is the discipline of storing those credentials safely, controlling who and what can read them, rotating them regularly, and containing the blast radius when one leaks — because eventually one will. It's unglamorous, it's foundational, and it's the control auditors and attackers both go looking for first.

Get secrets out of your code and config

The first rule is that secrets never live in your source code — not in the repo, not in a config file you commit, not hardcoded 'just for now.' Once a secret touches git history it's effectively public forever, because rewriting history rarely reaches every clone, fork, and backup; the only real fix is rotating the leaked credential. Environment variables were the traditional step up, and a .env file kept out of version control is better than a hardcoded key — but it's still a plaintext secret sitting on disk, readable by anything running as that user, with no audit trail and no rotation story. The modern answer is a dedicated secrets manager (HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager, Azure Key Vault): secrets are stored encrypted, access is authenticated and logged, and applications fetch them at runtime instead of baking them in. This is table-stakes for SOC 2 and non-negotiable for anything touching regulated data.

What a secrets manager buys you

  • Central, encrypted storage: one audited source of truth instead of secrets scattered across .env files, CI configs, and someone's password manager.
  • Access control and audit: fine-grained policies on who and what can read each secret, plus a log of every access — so you can answer 'who could read the prod database password?' and 'who did, and when?'
  • Rotation support: the machinery to change a secret and roll it out without a redeploy, ideally on a schedule.
  • Dynamic secrets: the strongest pattern — the vault generates short-lived, on-demand credentials (e.g. a database login valid for an hour) unique to each consumer, so there's no long-lived secret to steal and access self-expires.
  • Encryption as a service: keep the master keys in the vault or a dedicated KMS/HSM and let it do the crypto, so raw keys never sprawl across your services.

Rotation: because leaks are inevitable

Every secret should have a lifespan. A key that never changes is a key that, once leaked — via a breach, a departing employee, a compromised laptop — grants access indefinitely, and you may never know it happened. Rotation caps that exposure: rotate on a schedule (quarterly for long-lived credentials is a reasonable floor, more often for high-value ones) and immediately on any trigger — an employee with access leaves, a possible exposure, a vendor breach. The reason teams don't rotate is that it's painful when done by hand, which is exactly why it has to be automated: the secrets manager issues the new credential, updates the consumers, and retires the old one with a brief overlap so nothing breaks mid-swap. Dynamic secrets are rotation taken to its limit — credentials so short-lived that 'rotation' is just their normal expiry, and a leaked one is worthless within the hour.

Least privilege and machine identity

A secret is only as safe as the scope of what it unlocks. Every credential should grant the minimum access its holder needs — a service that only reads from one table gets a credential that can only read that table, so a leak is a contained problem rather than a full compromise. This is the same least-privilege principle that limits the blast radius of a prompt injection against an agent: assume the credential will eventually be exposed and design so that when it is, the damage is bounded. The harder half is machine identity — services, containers, and CI jobs need to authenticate to the vault without a bootstrap secret, which is its own chicken-and-egg. Modern platforms solve it with workload identity (cloud IAM roles, signed workload tokens) so a pod proves what it is to the vault and gets scoped, short-lived credentials, with no static key to leak in the first place.

Containing a leak when it happens

Assume a secret will eventually leak and build so that it's survivable, not catastrophic. Scan for it: automated secret scanning on every commit and in CI catches the accidental key push before it merges — cheap insurance that stops the most common leak at the door. Detect misuse: alert on anomalous credential use, like a production key suddenly calling from an unfamiliar IP or region. And rehearse the response, because a leak is an incident: revoke and rotate the exposed secret immediately, review the audit log for what it accessed while exposed, and run the blameless postmortem to fix the system that allowed the leak — the developer who pasted a key into a ticket is a symptom; the absence of a vault and a scanner is the cause. Fast rotation is what turns a leaked credential from a breach into a footnote.

How Infiniti Tech Partners secures credentials

We get secrets out of your code and config and into a managed vault with real access control, audit logging, and automated rotation — moving you toward short-lived, dynamically issued credentials and workload identity so there's less standing secret to steal. We wire in commit-time secret scanning, least-privilege scoping, and a tested revoke-and-rotate response so a leak is contained in minutes, not discovered in a breach report. It's foundational security that also clears a major line item for SOC 2, ISO 27001, and HIPAA. If your secrets still live in .env files and Slack history, this is the gap to close first.

Frequently asked questions

Why shouldn't you store secrets in a .env file?

A .env file kept out of version control is better than hardcoding a key, but it's still a plaintext secret sitting on disk, readable by anything running as that user, with no audit trail and no rotation story. Secrets should never live in source code at all — once a secret touches git history it's effectively public forever, because rewriting history rarely reaches every clone, fork, and backup. The modern answer is a dedicated secrets manager (HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager, Azure Key Vault) where secrets are stored encrypted, access is authenticated and logged, and applications fetch them at runtime.

How often should you rotate secrets and keys?

Every secret should have a lifespan. Rotate long-lived credentials on a schedule — quarterly is a reasonable floor, more often for high-value ones — and immediately on any trigger, such as an employee with access leaving, a possible exposure, or a vendor breach. Because manual rotation is painful, it has to be automated: the secrets manager issues the new credential, updates consumers, and retires the old one with a brief overlap. Dynamic secrets take this to the limit — credentials so short-lived that a leaked one is worthless within the hour.

What are dynamic secrets?

Dynamic secrets are short-lived credentials that a vault generates on demand, unique to each consumer — for example a database login valid for one hour rather than a static password shared across services. Because the credential self-expires, there's no long-lived secret to steal, and a leaked one becomes worthless almost immediately. It's the strongest secrets pattern: rotation taken to its limit, where 'rotation' is just the credential's normal expiry, which dramatically shrinks the window an attacker has to exploit an exposed key.

Have a related problem you're working on?

Talk to a senior engineer — usually within one business day.

Start a conversation