DEV Community

Mustafa ERBAY
Mustafa ERBAY

Posted on • Originally published at mustafaerbay.com.tr

Secret Rotation: 3 Core Principles for Secure Applications

#life #security #devsecops #secretsmanagement

There's a constant authentication flow between the servers running our applications, databases, APIs, and external services. At the heart of this flow lie what we call "secrets": sensitive information like database passwords, API keys, certificates, and tokens. I see them as the keys to a building. Every building key has a specific lifespan and security risk. If a key is stolen or copied, the security of that building is compromised. This is precisely why regularly changing these keys, i.e., performing "secret rotation," is mandatory.

From what I've observed over the years, secret rotation is often either not done at all or is attempted at the last minute, during a crisis, in a manual and stressful manner. I even recall it taking me several hours to realize that an API key had expired and services had stopped during the early stages of one of my side projects. This situation can lead directly to operational downtime, beyond just being a security risk. Therefore, we need to move secret rotation from a security checklist item to a fundamental part of operational resilience. In this post, I will share three core principles I've identified based on my own experiences, along with the details surrounding them.

Principle 1: Automated Rotation is Non-Negotiable

Manual secret rotation is typically a process prone to human error, time-consuming, and inconsistent. In my own projects, whether it was for an ERP system at a manufacturing firm or the backend of my mobile app, every time I attempted manual rotation, I either skipped a critical step or caused unnecessary service interruptions. I vividly remember a period where I had to manually change a specific API key every 3 months, and how this task was consistently postponed, only to be done at 2:00 AM on a Friday night when an alarm finally went off. This not only increases the operational burden on the team but also keeps the risk of security vulnerabilities constantly alive.

Automation is indispensable for this process. While it's hard for a human to remember to change a password once a week or month, an automated system can do it flawlessly. Automation allows secrets to be rotated more frequently and without errors. This not only improves our security posture but also significantly limits the blast radius if a secret is compromised. In a scenario I observed on an internal banking platform, when a manually rotated database password was leaked, its active duration was 6 months. With automated rotation, this period would likely have been limited to 24-48 hours, and the potential damage would have been much less.

ℹ️ Tools for Automation

Specialized tools like HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, or Google Secret Manager are available for secret management and rotation. On my own VPS and for my side projects, I generally use custom automation scripts and systemd timers. While this is a more "bare-metal" approach, it offers sufficient flexibility for small to medium-sized projects.

In my own CI/CD pipelines, I use a simple Bash script to rotate a database password, for example. This script generates a new password, updates it in the database, and then updates the application's relevant configuration file and triggers a redeployment. While this requires some initial investment, it dramatically reduces operational costs and error rates in the long run. For instance, a script I use to rotate a database password might follow this flow:

#!/bin/bash

DB_USER="my_app_user"
NEW_DB_PASSWORD=$(openssl rand -base64 32)
OLD_DB_PASSWORD_FILE="/etc/app/db_password_old" # Where I temporarily store the old password

# 1. Apply the new password to PostgreSQL
psql -U admin_user -d my_database -c "ALTER USER $DB_USER WITH PASSWORD '$NEW_DB_PASSWORD';"

# 2. Ensure the application uses the new password
# This step varies depending on how the application is configured.
# For example, if it's a .env file:
sed -i "s/^DB_PASSWORD=.*/DB_PASSWORD=$NEW_DB_PASSWORD/" /etc/app/config/.env
# Or if it's a Kubernetes Secret:
# kubectl create secret generic db-secret --from-literal=password=$NEW_DB_PASSWORD --dry-run=client -o yaml | kubectl apply -f -

# 3. Back up the old password somewhere (for rollback or dual-key transition)
echo "$DB_PASSWORD_CURRENT" > $OLD_DB_PASSWORD_FILE

# 4. Restart application services (see next principle for downtime-free transition)
systemctl reload my_app_service # Or docker-compose restart my_app

# 5. If successful, delete the old password; otherwise, issue a warning
if [ $? -eq 0 ]; then
    rm $OLD_DB_PASSWORD_FILE
    echo "Secret rotation completed successfully."
else
    echo "Secret rotation failed, old password saved to $OLD_DB_PASSWORD_FILE"
fi
Enter fullscreen mode Exit fullscreen mode

This script is just an example. In real-world scenarios, more error checking, logging, and security layers would need to be added. But the core idea is to eliminate manual steps. Once automation is set up, these tasks are handled automatically in the background for me, and I just check the journalctl -u my_secret_rotation.timer output.

Principle 2: Every Secret Should Have Its Own Lifecycle

Rotating all secrets with the same frequency or method creates unnecessary operational overhead and can lead to certain critical secrets not being adequately protected. The risk profile or usage frequency of a database password is not the same as that of an internal network VPN key. In a client project, there was a general policy of rotating all secrets every 6 months. However, this was insufficient for weekly API keys while unnecessarily creating hassle for annual SSL certificates. The fact that each secret needed to be evaluated in its own context was a lesson that cost me dearly.

Each type of secret should have its own "lifecycle" based on factors such as potential compromise risk, blast radius, usage frequency, and rotation difficulty.

  • Database Passwords: These are generally high-risk secrets. A compromise can grant access to all data. I typically rotate these monthly or bi-monthly.
  • API Keys (for External Services): These keys are used for integration with third-party services. If leaked, they can grant access to data or operations within that service. Weekly or bi-weekly rotations are ideal. I rotate the API keys used for my side project's payment integration weekly.
  • Internal Application API Keys (Microservice Communication): Used for inter-service communication within the application. The risk is lower than external APIs, but there's still a risk of unauthorized internal access if leaked. Can be rotated monthly or quarterly.
  • SSL/TLS Certificates: These typically expire in 3 months (Let's Encrypt) or around 1 year. Their rotation is handled by automated certificate management tools and is usually referred to as renewal. I use certbot for automatic renewal on my Nginx reverse proxies and ensure seamless application by using the nginx -s reload command. [Related: Configuring Secure Reverse Proxy with Nginx]
  • SSH Keys: Used for server access. Highly sensitive. Usually rotated less frequently (e.g., every six months), but access controls must be very strict (passphrase, 2FA).

To manage these different lifecycles, it's necessary to categorize secrets and define specific rotation policies for each category. Keeping an inventory and recording information such as type, purpose, responsible team, last rotation date, and next rotation date for each secret has been very helpful for me in this process. In an inventory system for a manufacturing ERP, the rotation cycle for critical API keys was 28 days, while the read-only database secrets used by the reporting systems rotated every 90 days. This distinction was crucial for both security and operational efficiency.

⚠️ The Importance of Maintaining a Secret Inventory

Not knowing which secret is what, where it's used, and who is responsible is one of the biggest obstacles in secret management and rotation. Maintaining an inventory prevents this chaos and also simplifies your work during security audits. I use a simple Markdown file or a wiki page for this purpose.

When determining the lifecycle of each secret, I consider the potential risk of compromise and the impact if a compromise occurs. For example, the password my application uses for its Redis cache, not containing sensitive data directly, might not need to be rotated as frequently as a database password. However, if Redis's authentication mechanism is weak, then more frequent rotation might be necessary. Establishing this balance correctly allows us to direct resources to the right places.

Principle 3: Zero Downtime Approach for Seamless Operation

Secret rotation is a critical operation that can lead to service interruptions if not performed correctly. Many times, I've seen systems lock up because the application tried to connect with the old password after a new one was deployed and failed. Specifically, during a database password rotation at a large Turkish e-commerce site, a 15-minute outage caused millions of dollars in losses. This incident once again showed me how critical secret rotation is not just for security but also for business continuity.

The zero downtime approach aims to perform secret rotation without affecting the operation of applications. I use a few different techniques for this:

  1. Dual-Key Approach: This is one of the most common and secure methods. When a new secret is generated, we ensure that both the old and new secrets are valid for a certain period. Applications gradually transition to the new secret.

    • Step 1: The new secret is generated and saved in the database or by the service provider. The old secret is still valid.
    • Step 2: A new version of the application is deployed using the new secret. Older versions still use the old secret.
    • Step 3: Once all applications are using the new secret, the old secret is disabled or deleted.
    • Example: A user cannot have two passwords in PostgreSQL, but some services (e.g., API Gateways or custom secret management systems) can accept both old and new API keys simultaneously. For databases, it's often more practical to empty the application's connection pool and refill it, or perform a rolling deployment.

  2. Rolling Deployments: This is a very effective method for containerized environments (Docker Compose or Kubernetes). New application images updated with the new secret are deployed by restarting services one after another. As each container receives the new secret and starts, other containers continue to run with the old secret.

    • I can update a specific number of containers one by one using commands like docker-compose up -d --scale my_service=3.
    • In Kubernetes, this is the natural behavior of Deployment resources. The kubectl apply -f deployment.yaml command gradually deploys an updated image with the new secret.

  3. Graceful Restarts / Dynamic Configuration: Some applications or services can dynamically update their configurations without restarting or with minimal downtime.

    • Nginx: When updating SSL certificates, I can load the new certificates using the nginx -s reload command. This starts using the new certificate for new connections without interrupting existing ones.
    • Custom Applications: In some services I've written myself, I've used a mechanism that detects changes in a configuration file and reloads secrets. This can be done with inotify or a simple polling mechanism.

Each of these approaches has its own trade-offs. The dual-key approach might be the most secure but may not be supported by every service. Rolling deployments are great for containerized environments but can be more challenging for a monolith application. Graceful restarts depend on the application's architecture. The important thing is to determine which method is most suitable for your project and application, and plan your rotation strategy accordingly. For example, in a manufacturing ERP, I had to combine the rolling deployment with the dual-key approach for the main database password. This was a complex process, but uninterrupted service was a priority for a 24/7 system.

Operational Benefits and Challenges of Secret Rotation

Regularly implementing secret rotation goes beyond being just a security checklist item; it provides significant benefits to our operational processes. However, these processes also have their own unique challenges. In my twenty years in system administration, software development, and operations, I've seen countless times how important it is to manage this balance effectively.

Operational Benefits:

  • Improved Security Posture: This is the most obvious benefit. If a secret is leaked, regular rotation shortens the validity period of that secret, and the information in the attacker's hands becomes invalid faster. This significantly limits the blast radius in case of a security breach. In a client project, we identified that a leaked secret in an environment with manual rotation remained active for 180 days, posing a significant risk of data loss during that period. With automated rotation, this period could have been reduced to 24 hours.
  • Auditing and Compliance: Many regulations and standards like GDPR, SOC2, and HIPAA mandate the regular rotation of sensitive information. Regular rotation processes are strong evidence for demonstrating compliance during audits. In some of my projects, particularly for side projects involving financial calculators, these compliance requirements pushed me towards automated rotation.
  • Crisis Management and Rapid Response Capability: When a secret is suspected of being leaked, a fast and automated rotation process reduces panic and allows you to quickly bring the situation under control. Manual processes can lead to more errors during a crisis.
  • Support for the "Least Privilege" Principle: As secrets are rotated, old and unused permissions are also eventually removed. This helps maintain the "least privilege" principle in the system at all times.

Challenges Encountered:

  • Initial Investment and Complexity: Automating secret rotation, especially integrating it into existing systems, requires time and effort. The initial setup and testing processes can be complex. Even on my own VPS, it took me a few days to fully automate a simple database password rotation. However, this is an investment that pays for itself in the long run.
  • Dependency Management: It can be difficult to know exactly where a secret is used. When a secret is rotated, all dependent applications or services must also be updated. If this dependency map is not created, rotations can lead to interruptions. This is why, as I mentioned in my post [Related: Software Architecture: Monolith vs. Microservice Choices], a good understanding of dependencies is critical.
  • Human Factor and Training: Even with automation, operational teams need to be trained to understand these processes, monitor them, and intervene if necessary. A misconfigured automation can lead to bigger problems than manual processes.
  • Testing and Validation: Comprehensive tests are necessary to ensure that rotation processes are working correctly. These tests should verify that the secret is rotated successfully, applications are receiving the new secret correctly, and no service interruptions occur. I regularly perform these tests in staging environments.

Despite these challenges, the benefits of secret rotation far outweigh the difficulties encountered. With proper planning, appropriate tools, and continuous improvement, it is possible to manage these processes effectively.

Notes and Tips from My Own Experiences

Having been in the world of system administration, software development, and operations for twenty years, I know how important the theoretical part of issues like secret rotation is, but I've also experienced the practical difficulties firsthand. Here are some notes and tips distilled from my own experiences:

  1. Always Plan for a Rollback Mechanism: No matter how flawless automation is, the possibility of error always exists. When a secret rotation fails or unexpectedly affects an application, being able to quickly revert to the old secret can be a lifesaver. In my own scripts, I back up the old secret to a temporary file before applying the new one to the application. If there's a problem, I can quickly restore the old secret. One time, while rotating the Redis password, I accidentally messed up the OOM eviction policy settings, but thanks to this rollback mechanism, I was able to get the service back up in 5 minutes.

    # Example rollback step
if [ $? -ne 0 ]; then
    echo "Rotation failed, attempting rollback..."
    # Restore the old password
    OLD_DB_PASSWORD=$(cat $OLD_DB_PASSWORD_FILE)
    psql -U admin_user -d my_database -c "ALTER USER $DB_USER WITH PASSWORD '$OLD_DB_PASSWORD';"
    sed -i "s/^DB_PASSWORD=.*/DB_PASSWORD=$OLD_DB_PASSWORD/" /etc/app/config/.env
    systemctl restart my_app_service # Or docker-compose restart my_app
    echo "Rollback completed. Please investigate the failure."
    exit 1
fi

  2. Comprehensive Monitoring and Alerts: It's crucial to monitor not just whether rotation processes are running, but also whether they are completing successfully, and if applications are correctly using the new secret. I track these processes using journald logs, Prometheus metrics, or OpenTelemetry traces. An immediate alert should be triggered if a rotation fails. For example, a sudden increase in database connection error counts can be the first indicator of a problem with secret rotation.

    • Metric Example: application_db_connection_failures_total or secret_rotation_success_count.
    • Log Example: journalctl -u my_secret_rotation.timer | grep "failed".

  3. Simulate in a Test Environment: Before attempting a secret rotation in the production environment, I always test the entire flow in a staging or pre-prod environment. This allows me to identify potential issues at an early stage. In a client project, in particular, I tested the new database password 3 times with different scenarios in the staging environment before applying it to production. Each test revealed a different edge case, and thus I prevented a major outage in production.

  4. Implement the Principle of Least Privilege: Just as important as the secrets themselves is limiting the privileges of the users and services that access them. Ensure that each service can only access the secrets it needs. In a manufacturing ERP, I ensured that the production planning module only had access to a user with permissions to its own database tables, and that user's password. This narrows the scope of unauthorized access in case of a potential leak.

  5. Don't Overlook the Human Factor: No matter how powerful automation is, there are people behind it. It's essential for team members to understand why secret management and rotation are important, trust the processes, and be able to intervene manually when necessary. When a new team member joined for one of my side projects, one of the first things I did was explain the secret rotation scripts and monitoring dashboards to them. This is an important part of building a disciplined security culture, rather than adopting a "it'll be fine" approach.

These principles and tips are a summary of the experience I've gained over the years. While secret rotation can be a complex topic, with the right approach, we can significantly increase our operational resilience and security posture.

Conclusion

Secret rotation is one of the cornerstones of modern application security and operational resilience. It needs to be transformed from a manual and neglected task into an automated, planned, and seamless process. Automation, ensuring each secret has its own lifecycle, and adopting zero-downtime approaches for seamless operation form the three core principles in achieving this goal.

While the initial setup and management of these processes require time and effort, the security benefits and operational peace of mind they provide in the long run are invaluable. The outages, security vulnerabilities, and last-minute rushes I've experienced in my own projects have taught me these lessons very clearly. Let's not forget that secrets are the keys to our digital world, and regularly changing these keys is as important as securing our homes. This is a continuous journey, and every step we take on this journey makes our systems more secure and resilient.

Top comments (0)