Glossary: Secrets management

This glossary covers essential cybersecurity and password management terminology from password policies and zero-knowledge encryption to RBAC, API authentication, and compliance frameworks like GDPR and SOC 2.

Access token — a temporary credential that grants authenticated users or applications permission to access protected resources without repeatedly entering credentials. Access tokens are issued by authentication servers following successful login, typically using protocols like OAuth 2.0 or JWT (JSON Web Tokens). They contain encoded information about permissions, expiration time, and user identity.

Access tokens enhance security through short lifespans, scope limitations, and the ability to revoke access without changing passwords. Modern applications use access tokens to enable secure API communication, single sign-on (SSO), and microservices authentication across distributed systems.

API key — a unique alphanumeric identifier used to authenticate and authorize applications or users accessing an API. API keys serve as simple authentication tokens that identify the calling program, control access permissions, track usage quotas, and monitor API consumption. While convenient for development, API keys require proper secrets management since they grant direct access to services and data.

Best practices include storing API keys in secrets vaults, rotating them regularly, restricting permissions, and never hardcoding them in source code or public repositories to prevent unauthorized access and security breaches.

Application secrets — confidential credentials and sensitive data that applications require to function: database passwords, API keys, OAuth tokens, encryption keys, and third-party service credentials. Application secrets must be protected from exposure in source code, configuration files, container images, and logs. Modern DevSecOps practices mandate storing application secrets in dedicated secrets management systems rather than hardcoding them.

Secure application secrets management includes encryption, access controls, automated rotation, audit logging, and runtime injection to minimize the attack surface and prevent data breaches caused by credential compromise.

Certificate management — the certificate management encompasses the complete lifecycle of digital certificates used for SSL/TLS encryption, code signing, and authentication: provisioning, installation, renewal, monitoring, and revocation. Poor certificate management leads to expired certificates causing outages, security vulnerabilities, and compliance violations. Modern certificate management solutions automate discovery of certificates across infrastructure, alert before expiration, handle automated renewal through protocols like ACME, and maintain certificate inventories.

Organizations managing hundreds or thousands of certificates use certificate lifecycle management tools to prevent downtime, ensure encryption standards, and maintain compliance with security regulations.

CI/CD Integration — the process of connecting secrets management systems with continuous integration and continuous deployment pipelines to enable secure credential delivery without hardcoding secrets in build configurations or scripts. Modern CI/CD platforms (Jenkins, GitLab CI, GitHub Actions, CircleCI) integrate with secrets managers to fetch credentials at build time. Secure CI/CD secrets management includes storing secrets in dedicated vaults, using short-lived credentials, restricting access by pipeline and environment, masking secrets in logs, and rotating credentials regularly.

Proper integration prevents credential exposure in build artifacts, container images, and pipeline logs while enabling automated, secure deployments.

Configuration management — a systematic approach to defining, deploying, and maintaining consistent system and application settings across environments. Configuration management encompasses infrastructure configurations, application parameters, feature flags, and secrets. Tools like Ansible, Puppet, Chef, and Terraform enable infrastructure as code (IaC) and configuration automation. Effective configuration management separates secrets from non-sensitive configurations, uses version control for tracking changes, implements environment-specific configurations, and integrates with secrets management platforms.

Proper configuration management prevents configuration drift, enables rapid deployment, supports disaster recovery, and maintains security through consistent, auditable configurations.

Database credentials — authentication information required to connect to database systems: usernames, passwords, connection strings, and certificates. Database credentials represent high-value targets since they provide direct access to sensitive data. Compromised database credentials enable data breaches, ransomware attacks, and compliance violations. Secure database credential management includes storing credentials in secrets vaults, implementing automated rotation, using dynamic database credentials when possible, enforcing strong authentication, restricting network access, and monitoring credential usage.

Organizations must never hardcode database credentials in application code or commit them to version control systems.

Dynamic secrets — credentials generated on-demand with limited lifespans, automatically created when requested and revoked after use or expiration. Unlike static secrets that exist indefinitely, dynamic secrets provide enhanced security by minimizing exposure windows and eliminating long-lived credentials. Secrets management platforms like HashiCorp Vault generate dynamic database credentials, cloud IAM credentials, and SSH certificates programmatically.

Dynamic secrets reduce risk from credential theft since compromised credentials expire quickly and aren't reused. They're ideal for automated processes, temporary access, and zero-trust security architectures requiring just-in-time credential provisioning.

Hardcoded secrets — credentials embedded directly in application source code, configuration files, or scripts — a critical security vulnerability. Hardcoded secrets in repositories become exposed when code is shared, committed to public GitHub repositories, or accessed by unauthorized personnel. Attackers actively scan public repositories for hardcoded API keys, passwords, and tokens.

Hardcoded secrets violate security best practices, complicate rotation, and create compliance issues. Prevention requires developer training, pre-commit hooks scanning for secrets, secrets detection tools, code reviews, and migrating to proper secrets management solutions that inject credentials at runtime.

Infrastructure as Code (IaC) — the practice of managing and provisioning infrastructure through machine-readable definition files rather than manual configuration. IaC tools like Terraform, CloudFormation, and Pulumi enable version-controlled, repeatable infrastructure deployment. IaC presents secrets management challenges since infrastructure code often requires credentials for cloud providers, databases, and services.

Best practices prohibit hardcoding secrets in IaC templates, instead using secrets management integrations, encrypted variable files, or runtime secret injection. Proper IaC secrets management combines version control for infrastructure definitions with secure, separate storage for sensitive credentials.

Key management system (KMS) — a centralized platform for creating, storing, distributing, rotating, and retiring cryptographic keys throughout their lifecycle. KMS solutions provide secure key generation using hardware random number generators, encrypted storage often using HSMs, access controls, audit logging, and automated rotation.

KMS enables encryption at rest and in transit, digital signatures, and certificate management. Proper key management through KMS is essential for data protection, compliance, and cryptographic security.

Management key — the root cryptographic key used to encrypt and decrypt other keys and secrets within a secrets management system. Management keys represent the highest security tier since compromise exposes all protected secrets. Organizations protect management keys through hardware security modules (HSMs), key splitting across multiple custodians, strict access controls, and air-gapped storage.

Key Management Systems implement key hierarchies where management keys encrypt data encryption keys, which encrypt actual secrets. Management key rotation requires careful planning since it necessitates re-encrypting all dependent keys and secrets.

Secrets discovery — an automated process of scanning codebases, repositories, configuration files, containers, and infrastructure to identify exposed credentials, API keys, and sensitive data. Secrets discovery tools detect hardcoded passwords, committed API keys, embedded certificates, and other credential leaks that create security vulnerabilities. Organizations use secrets discovery during security assessments, before migrating to secrets management platforms, and continuously in CI/CD pipelines to prevent credential commits.

Discovery tools use pattern matching, entropy analysis, and machine learning to identify secrets. Findings require remediation: rotating exposed credentials, removing from repositories, and implementing proper secrets management.

Secrets expiration — a policy that enforces automatic invalidation of credentials after a predetermined time period, requiring renewal or rotation Expiration reduces security risks by limiting the useful lifetime of compromised credentials and forcing regular updates. Secrets management systems set expiration policies based on sensitivity—highly privileged credentials may expire within hours while less critical secrets last months.

Automated expiration requires monitoring and alerting to prevent service disruptions from expired credentials. Dynamic secrets inherently include short expirations, while static secrets need explicit expiration policies. Expiration supports compliance requirements mandating regular credential rotation and time-limited access.

Secrets governance — the framework that establishes policies, procedures, and controls for managing organizational credentials to ensure security, compliance, and operational consistency. Governance frameworks define who can create, access, modify, and delete secrets; rotation requirements; approval workflows; audit procedures; and compliance mappings. Effective secrets governance includes role-based access controls, separation of duties, regular access reviews, compliance reporting, and incident response procedures.

Governance supports regulatory requirements (SOC 2, PCI DSS, HIPAA, GDPR) through documented policies, audit trails, and enforced controls. Mature secrets governance balances security requirements with operational efficiency through automation and centralized management platforms.

Secrets injection — the secure delivery of credentials and sensitive data to applications at runtime without storing them in code, configuration files, or container images. Modern secrets injection methods include environment variables populated from secrets managers, mounted volumes containing credentials, init containers that fetch secrets, and sidecar patterns. Secrets injection prevents hardcoded credentials, reduces secrets sprawl, and enables centralized management.

Proper secrets injection ensures applications receive necessary credentials securely while maintaining separation between code and configuration.

Secrets lifecycle — the process that encompasses all stages of credential existence: creation/generation, secure storage, distribution to authorized systems, active usage, rotation/renewal, revocation when compromised, and final deletion. Each lifecycle stage presents security considerations—creation requires strong randomness, storage demands encryption, distribution needs secure channels, and deletion must be complete.

Modern secrets management platforms automate lifecycle stages, enforce policies, provide audit trails, and alert on lifecycle events like approaching expiration or detected compromise.

Secrets management — the practice of securely storing, distributing, controlling, and auditing sensitive authentication data like passwords, API keys, certificates, and encryption keys. Modern secrets management solutions provide centralized vaults, automated rotation, access controls, and audit trails to prevent data breaches. Organizations use secrets management tools to eliminate hardcoded credentials, reduce secrets sprawl, and ensure compliance with security standards like SOC 2, GDPR, and PCI DSS.

Effective secrets management protects critical infrastructure by controlling who and what can access confidential data across development, testing, and production environments.

Secrets rotation — an automated process of regularly changing passwords, API keys, certificates, and other credentials to minimize security risks from compromised secrets. Regular rotation limits the window of opportunity for attackers using stolen credentials and ensures compliance with security policies and regulations. Modern secrets management platforms automate rotation by generating new credentials, updating dependent systems, and retiring old secrets without service disruption.

Rotation frequency depends on sensitivity and compliance requirements—critical production secrets may rotate daily while less sensitive credentials rotate monthly or quarterly.

Secrets sprawl — a secrets sprawl occurs when credentials, API keys, and sensitive data proliferate uncontrollably across repositories, configuration files, containers, CI/CD systems, and cloud environments. Secrets sprawl creates significant security risks: hardcoded credentials in source code, duplicate secrets across systems, unknown or forgotten credentials, and difficulty tracking access.

Addressing secrets sprawl requires secrets discovery tools to locate exposed credentials, migration to centralized secrets vaults, automated rotation, and governance policies preventing future sprawl.

Secrets vault — a centralized, encrypted repository designed specifically for storing and managing sensitive credentials, API keys, certificates, and other confidential data. Secrets vaults provide enterprise-grade security through encryption at rest and in transit, role-based access controls (RBAC), detailed audit logging, and secrets versioning.

Secrets vaults integrate with CI/CD pipelines, container orchestration platforms, and cloud infrastructure to securely inject credentials into applications at runtime.

Secrets versioning — the practice of maintaining a complete history of changes to credentials, enabling rollback to previous versions, audit trails, and change tracking. When secrets rotate or get updated, versioning preserves old values temporarily to support graceful transitions and troubleshooting. Secrets versioning helps organizations meet compliance requirements by documenting who changed secrets, when modifications occurred, and why updates happened.

Modern secrets management platforms provide built-in versioning with configurable retention policies. Versioning proves critical during incidents when teams need to identify when credentials changed or roll back to known-good configurations after problematic updates.

Service account — a service account is a non-human identity used by applications, services, and automated processes to authenticate and access resources programmatically. Unlike user accounts, service accounts enable machine-to-machine authentication for CI/CD pipelines, microservices, scheduled jobs, and infrastructure automation. Service accounts require careful secrets management since their credentials provide programmatic access to sensitive systems and data.

Best practices include using dedicated service accounts with minimal permissions (principle of least privilege), rotating service account credentials regularly, monitoring usage through audit logs, and managing service account secrets through centralized vaults.

SSH key — a cryptographic key pair (public and private) used for secure authentication when connecting to remote servers via Secure Shell (SSH) protocol. SSH keys provide stronger security than password-based authentication by using asymmetric encryption. The private key remains on the user's machine while the public key is stored on target servers. SSH keys enable passwordless authentication for system administrators, developers, and automated processes accessing Linux servers, cloud infrastructure, and Git repositories.

Proper SSH key management includes protecting private keys, rotating keys regularly, and using SSH key management tools to prevent unauthorized access.