System Design Space
Knowledge graphSettings

Updated: February 21, 2026 at 11:59 PM

Secrets Management Patterns

mid

How to securely manage secrets: secret stores, rotation, dynamic credentials, encryption-at-rest and operational guardrails.

Context

Encryption, keys and TLS

Secrets management complements cryptography: keys must not only be selected, but also operated securely.

Open chapter

Secrets Management Patterns are architectural rules for the secure issuance, storage and rotation of secrets. Errors in this zone lead to critical incidents, even if the rest of the security architecture appears mature.

Core secrets patterns

Centralized secret store

Secrets in a specialized storage (Vault/KMS/Secrets Manager), and not in code, env files and CI variables without control.

Dynamic credentials

Issue temporary database/queue/cloud credentials instead of long-lived static secrets.

Automatic rotation

Regular rotation of keys and tokens with checking of rollback scripts and backward compatibility.

Least privilege access

Each workload has only the necessary secrets and rights, with a detailed audit log of access.

In-memory usage

Secrets are not written to logs/dumps/metrics; the time they remain in process memory is minimized.

Delivery and rotation patterns

  • Pull model: the service receives secrets at startup/via TTL, and not through hardcoded configs.
  • Sidecar/agent model: A local agent updates secrets and controls access.
  • Envelope encryption: data is encrypted by DEK, and DEK is protected by a KMS-master key.
  • Break-glass access for emergency scenarios with mandatory audit and time limit.

Related

Supply Chain Security

Secrets in CI/CD are a critical part of securing the supply chain.

Open chapter

Operational checklist

There is an inventory of all secrets with owner, rotation and dependent services.

There are alarms for the expiration/invalidity of secrets before a user-facing incident.

CI/CD blocks secret leaks (secret scanning + policy checks).

Rotation is tested in staging and production game day mode.

Secrets are divided into environments (dev/stage/prod) without shared credentials.

Typical antipatterns

Hardcoded secrets in code and IaC templates.

One 'master secret' for dozens of services without segmentation.

Rotation 'someday later' without automation and monitoring.

Secrets in error logs and stack traces.

References

Related chapters

Enable tracking in Settings

System Design Space

© 2026 Alexander Polomodov

FAQContacts