Secrets Management

Question

How do you securely manage secrets (passwords, API keys, certificates) in a DevOps environment?

Answer

Secrets management involves storing, accessing, and rotating sensitive data securely. Best practices: 1) Never commit secrets to version control. 2) Use dedicated secrets managers (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault). 3) Inject secrets at runtime via environment variables or mounted volumes. 4) Implement least-privilege access. 5) Rotate secrets regularly. 6) Audit secret access. In Kubernetes, use external secrets operators rather than plain Secrets objects which are only base64-encoded.

Why This Matters

Secrets in plain text are a security nightmare - leaked .env files, commits with passwords, and config files in logs cause breaches. Modern secrets management provides encryption at rest and in transit, access logging, automatic rotation, and centralized control. This is a critical security domain that every DevOps engineer must understand.

Code Examples

HashiCorp Vault basic usage

bash

External Secrets Operator

yaml

Common Mistakes

Storing secrets in environment variables in Dockerfiles (visible in image history)
Using Kubernetes Secrets without encryption (they're only base64 encoded)
Not rotating secrets after a team member leaves

Follow-up Questions

Interviewers often ask these as follow-up questions

How would you implement secret rotation without application downtime?
What is the difference between encryption at rest and in transit?
How do you handle secrets in CI/CD pipelines securely?