Lifecycle
Secrets are created using cryptographically secure random generators or issued by identity providers. Strong entropy and appropriate length are enforced by policy.
Secrets are encrypted at rest in a centralized vault. Access is gated by identity-based policies, never stored in plaintext in code, config files, or environment variables.
Applications retrieve secrets at runtime via APIs or sidecars. Secrets are injected into workloads dynamically, never baked into images or artifacts.
Secrets are automatically rotated on a schedule or in response to events. Dynamic secrets with short TTLs are preferred, as they minimize the blast radius of a compromise.
Compromised secrets are revoked instantly. Every access is logged for compliance and forensic analysis. Alerts fire on anomalous access patterns.