Secret Management
Secret management is the discipline of securely handling sensitive credentials in software projects – including API keys, database passwords, encryption keys, OAuth 2.0 tokens and TLS certificates. If secrets are stored in source code, security incidents with enormous damage potential can occur. Professional secret management separates configuration from code, restricts access to the minimum and enables automatic rotation.
Why is secret management critical?
Hardcoded secrets in source code are one of the most common causes of security incidents. A single accidentally committed API key can expose access to the entire infrastructure. GitHub scans millions of public repositories daily for exposed secrets. Professional secret management separates configuration from code and ensures that sensitive data is managed encrypted and access-controlled.
Methods and tools
Various approaches are available for secure management: Environment Variables as the simplest level for local development. Dedicated secret managers like HashiCorp Vault, AWS Secrets Manager or Azure Key Vault for production environments. Encrypted .env files with SOPS or age for smaller projects. Docker Secrets and Kubernetes Secrets for containerized environments. The combination with Infrastructure as Code is key for reproducible and auditable configurations.
Secret rotation and lifecycle
Secrets should be rotated regularly – ideally automatically. A defined lifecycle includes: creation with sufficient entropy, encrypted storage, access control following the least-privilege principle, automatic rotation and secure invalidation. In Deployment pipelines, secrets must be injected at runtime without appearing in logs, build artifacts or container images.
Common mistakes when handling secrets
Committing secrets to Git (even in private repos). .env files without a .gitignore entry. Secrets in Docker build args instead of multi-stage builds. Missing rotation after personnel changes. Unencrypted transmission between systems. Logging request headers containing authorization tokens. Each of these mistakes undermines even otherwise careful Server Hardening .
How we use it
All secrets at BTECH Solutions are stored exclusively in encrypted GitHub Secrets and injected at build time via CI/CD pipelines. FTP credentials, DB passwords and the Django SECRET_KEY never exist in the repository. JWT signing keys are managed separately from the application secret and set via Environment Variables . For client projects with higher requirements, we deploy HashiCorp Vault – including automatic rotation and audit logs.