Table of contents
- Introduction
- What is secrets management
- Why secrets management matters
- Passwork: More than a password manager
- Automation tools
- How we automate password rotation
- Security: Zero Knowledge and encryption
- Authorization and tokens
- Conclusions
Introduction
In corporate environment, the number of passwords, keys, and digital certificates is rapidly increasing, and secrets management is becoming one of the critical tasks for IT teams.
Secrets management addresses the complete lifecycle of sensitive data: from secure generation and encrypted storage to automated rotation and audit trails. As organizations adopt cloud infrastructure, microservices, and DevOps practices, the challenge intensifies — applications need seamless access to credentials while maintaining zero-trust security principles.
IT departments and DevOps teams face situations where there are too many secrets that become difficult to structure, control, and protect. In real-world projects, these secrets scatter across config files, environment variables, deployment scripts, and occasionally surface in public repositories.
What is secrets management
Secrets management is a cybersecurity best practice and set of tools for securely storing, managing, accessing, and rotating digital authentication credentials used by non-human identities such as applications, services, servers, and automated workloads.
Such secrets include passwords, passphrases, SSH, API and encryption keys, access tokens, digital certificates, and any other credentials that enable secure access to infrastructure.
Why secrets management matters
Protecting confidential information is a key priority for any business. Secrets require strict control at every stage of their lifecycle. That's just a few benefits of proper secrets management:
- Centralized storage. All passwords, keys, and tokens are stored in a single protected repository, preventing them from ending up in open docs, scripts, or source code, reducing the risk of leaks and unauthorized access.
- Flexible access management. The system allows individualized determination of who can access which secrets, whether individual employees, groups, or service accounts. This helps implement the principle of least privilege and reduces potential attack vectors.
- Complete control and operational transparency. Every request is logged: you can track who, when, and what actions were performed. Auditing facilitates regulatory compliance and makes security processes maximally transparent.
- Automated rotation. Passwords and keys are regularly updated automatically, on schedule or when threats are detected. This saves IT resources and reduces the likelihood of using outdated or compromised data.
- Integration with infrastructure and DevOps. Access to secrets is provided through API, CLI, SDK, and plugins, simplifying system integration with CI/CD pipelines, cloud platforms, containers, and databases.
- Rapid incident response. A centralized approach allows quick revocation or replacement of vulnerable secrets, minimizing incident consequences and preventing threat propagation within the company.
Without a unified solution, secrets often "wander" through configuration files and source code, complicating their updates and increasing compromise risks. Corporate password managers solve this task, but not all of them support the necessary automation for modern DevOps processes.
Passwork: More than a password manager
Passwork started as a corporate password manager — a simple and convenient tool for storing credentials. But modern IT teams need more: automation, integration, and programmatic access to secrets.
With Passwork 7, the platform evolved beyond traditional password storage into a full-fledged secrets management system.
API-first architecture
Passwork is built on API-first principles. This means that every function available in the UI is available through REST API.
The API provides programmatic access to all system functions: password management, vaults, folders, users, roles, tags, file attachments, and event logs. This enables you to automate access provisioning and revocation, update passwords programmatically, integrate Passwork into CI/CD pipelines, and export logs for analysis.
Two products in one
In other words, Passwork now combines two full-fledged products:
- Password manager — intuitive interface for secure credential storage and team collaboration.
- Secrets management system — programmatic access through REST API, Python connector, CLI, and Docker container for workflow automation.
Automation tools
Python connector
Passwork's official Python connector eliminates the complexity of working with low-level API calls and cryptography. Manage secrets through simple methods—no manual HTTP request handling or data transformations required.
Usage example:
from passwork_client import PassworkClient
client = PassworkClient(host="https://passwork.example.com")
client.set_tokens("ACCESS_TOKEN", "REFRESH_TOKEN") # pass tokens
client.set_master_key("MASTER_KEY") # master key for decryption
# create vault and password
vault_id = client.create_vault(vault_name="DevOps", type_id="vault_id_type")
password_data = {
"Name": "Database PROD",
"vaultId": vault_id,
"title": "DB prod",
"login": "admin",
"password": "secure-password",
"url": "https://db.example.com"
}
password_id = client.create_item(password_data)
# retrieve and use password
secret = client.get_item(password_id)
print(secret['password'])Key features:
- Simple methods like
create_item(),get_item(),create_vault()handle all operations; no manual HTTP requests needed - Client-side cryptography — master key never leaves your environment
- Connector automatically saves, restores, and refreshes tokens
- Universal
call()method enables access to any API endpoint, even those without dedicated methods
The Python connector accelerates automation and integration without unnecessary complexity.
CLI utility
For shell script and CI/CD automation, Passwork CLI provides a universal tool with two operating modes:
- exec — extracts secrets, creates environment variables, and runs your process. Passwords are never saved and are only available during execution.
- api — calls any Passwork API method and returns JSON responses.
Key features:
- Passwords injected as environment variables
- Secrets automatically loaded in CI/CD pipelines
- Temporary variables enable service account operations
- Native integration with Ansible, Terraform, Jenkins, and similar tools
Usage examples
Retrieve a password and execute a command:
# Export environment variables
export PASSWORK_HOST="https://passwork.example.com"
export PASSWORK_TOKEN="your_token"
export PASSWORK_MASTER_KEY="your_master_key"
# Retrieve password by ID and run MySQL client
passwork-cli exec --password-id "db_password_id" mysql -u admin -h localhost -p $DB_PASSWORD database_nameRunning script with multiple secrets:
passwork-cli exec \
--password-id "db123,api456,storage789" \
deploy.sh --db-pass=$DATABASE_PASSWORD --api-key=$API_KEY --storage-key=$STORAGE_KEYGetting vault list through API:
passwork-cli api --method GET --endpoint "v1/vaults"The CLI supports tag and folder filtering, custom fields, token refresh, and flexible configuration for diverse automation scenarios.
Docker container
For CI/CD integration, the official passwork/passwork-cli Docker image enables quick CLI launches in isolated environments.
Launch example:
docker run -it --rm \
-e PASSWORK_HOST="https://passwork.example.com" \
-e PASSWORK_TOKEN="your_access_token" \
-e PASSWORK_MASTER_KEY="your_master_key" \
passwork-cli exec --password-id "db_password_id" mysql -h db_host -u admin -p $DB_PASSWORD db_nameKey features:
- Ready for GitLab, Bitbucket Pipelines, and docker-compose workflows
- Secrets easily passed between containers
How we automate password rotation
Regular password changes are a fundamental security requirement, but manual rotation introduces risk and wastes time. Passwork enables complete automation through the Python connector.
Rotation workflow:
- Retrieve current password from Passwork (
get_item) - Generate new secure password
- Change password in target system (e.g.,
ALTER USERfor databases) - Update record in Passwork (
update_item) - Notify team of completion
Example implementation:
from passwork_client import PassworkClient
import secrets
import psycopg2
def rotate_db_password(passwork_host, accessToken, refreshToken, master_key, password_id, db_params):
client = PassworkClient(passwork_host)
client.set_tokens(accessToken, refreshToken)
client.set_master_key(master_key)
secret = client.get_item(password_id)
current_password = secret['password']
new_password = secrets.token_urlsafe(32)
conn = psycopg2.connect(
dbname=db_params['db'],
user=db_params['user'],
password=current_password,
host=db_params['host']
)
with conn.cursor() as cur:
cur.execute(f"ALTER USER {db_params['user']} WITH PASSWORD '{new_password}'")
conn.commit()
client.update_item(password_id, {"password": new_password})
print("Password successfully rotated and updated in Passwork")Benefits:
- Fully automated rotation eliminates manual actions and human error
- New password immediately available to the entire team—no delays or communication gaps
Security: Zero knowledge and encryption
Passwork implements Zero knowledge architecture: the server never accesses secrets in plain text. Even administrators with full infrastructure access cannot read your data.
- Server-side encryption — All secrets stored encrypted on the server. Suitable for internal networks and standard security requirements.
- Client-side encryption (CSE) — Secrets encrypted on the client before transmission; only ciphertext reaches the server. Master key derived from user's master password. Essential for cloud deployments or strict compliance requirements.
Choosing your model:
- Cloud deployment or strict compliance → Enable CSE
- Internal network with standard requirements → Server-side encryption sufficient
Authorization and tokens
Passwork API uses a token pair: accessToken and refreshToken.
- Access token — Short-lived credential for API requests
- Refresh token — Enables automatic access token renewal without re-authorization
The Python connector handles token refresh automatically, ensuring stable integrations without manual intervention.
Security best practices:
- Create dedicated service accounts — Assign minimal permissions, grant access only to required vaults and folders
- Rotate tokens regularly — Set expiration policies and refresh credentials on schedule
- Secure token storage — Use environment variables or dedicated secret vaults (never hardcode)
- Enforce HTTPS — Always use encrypted connections for API communication
Conclusions
Passwork has evolved from a password manager into a comprehensive secrets management platform. The open API, Python connector, CLI, and Docker image enable seamless integration into any workflow while centralizing secrets with granular access control.
For administrators: Reliable storage with built-in automation capabilities.
For developers and DevOps: Production-ready API and tools for secure secrets handling.
Passwork consolidates what typically requires multiple solutions into a single system with unified management. This reduces operational overhead, simplifies rotation workflows, and provides IT and development teams with transparent security controls.
As a secrets management platform, Passwork delivers protected, scalable infrastructure that adapts to your organization's needs.
Further reading
Eirik Salmi
Ana Moore
Ana Moore
