Best Practices

Best Practices for Secrets Management

Best practices teams can begin to implement when starting to utilize HCP Vault as their primary secrets management system are described below:

1. Centralize and Standardize: Transition your secrets to be integrated within Vault as a centralized secrets management system. Centralizing and stardardizing where your secrets are stored helps control access and prevent leaks.
2. Access Control: Implement strict access controls to ensure only authorized entities can access secrets. The secrets management team has already implemented some restrictive controls, but teams can further scope how the access to their secrets is being managed using Vault policies.
3. Automate Secret Management: Automate the lifecycle management of secrets, including generation, distribution, rotation, and revocation.
   1. Vault provides some of these features already with dynamic credentials and database credential rotation. The more a team can automate their processes using vault, the more a team can minimize data breach risks.
4. Monitor and Audit: Continuously monitor and audit access to secrets to detect and respond to unauthorized access attempts.
5. Avoid Hardcoding Secrets: NEVER HARDCODE SECRETS IN SOURCE CODE. Use environment variables or Vault to inject secrets at runtime.

Other Recommendations

Below are further articles and guides for managing your secrets based off HashiCorp's recommendations. Please feel free to use these resources as a starting point on your secrets management journey.

UIS Security Policies

• Policy Library

  • AAAM

  • Encryption

  • Log Management

  • SDLC

  • SDMA

HashiCorp Recommendations

• 5 Best Practices for Secrets Management

• Secrets Sprawl

• Rotated vs Dynamic Secrets

HashiCorp Guides

• Scheduled-based database static role rotation

• Writing Vault Policies

• Password Policies