Overview

Static long-lived credentials pose a significant security risk due to the potential for accidental and malicious exposure as well as difficulties in revocation once the credentials are compromised. HCP Vault Secrets offers two ways of mitigating this risk: Auto-rotating Secrets (discussed below) and Dynamic Secrets. For a more in-depth comparison between these two secret types, please refer to this section.

Auto-rotating Secrets are an effective solution for organizations that want to rotate their secrets frequently but face challenges due to the complexity and coordination involved. Auto-rotating secrets will help:

• Eliminate the need for the application and platform teams to manually coordinate secret rotation
• Eliminate the application downtime associated with secret rotation, thanks to the overlapping active versions architecture (described below).

Key concepts

• Auto-rotating Secrets are blueprints that define how HCP Vault Secrets will provision credentials. They do not contain sensitive data themselves. They are configured using a reference to an integration and a rotation policy.
• Auto-rotating Credential Sets are sensitive data, such as tokens or keys, granting your application access to the provider. Each credential set is associated with a version of an Auto-rotating Secret.
• Rotation Policy defines how often the secret should be rotated and how many active versions of the secret should be maintained. Currently, HCP Vault Secrets supports 3 built-in rotation policies:
  • built-in:30-days-2-active
  • built-in:60-days-2-active
  • built-in:90-days-2-active
• Integrations manage the authentication and connection details that HCP Vault Secrets uses to access third-party providers in order to create and revoke credentials.
• Providers are systems like AWS that auto-rotating credentials allow your application to access.

Behavior

Auto-rotating Secrets are rotated on a schedule in a background job. When a rotation happens, a new credential is stored as the latest active version of the secret. At the same time an older (N - 2) version of the secret becomes inactive. The previous credential set is still available until the next rotation interval. This guarantees the user that the credential is safe to use for at least the defined rotation frequency.

If a secret sync is set up for the parent application, the Auto-rotating credentials will also be securely synced into the configured third-party destination upon each rotation.

Example workflow

1. You create a new auto-rotating secret in HCP Vault Secrets.

   • Rotation frequency set to 30 days.
   • Active versions set to 2.

2. HCP Vault Secrets creates a new credential set in the third-party provider and stores it in the corresponding secret version (v1).

3. On day 30, HCP Vault Secrets creates a new credential set in the third-party provider. A new secret version (v2) is added as the latest active version of the secret. The previous version (v1) is still available in the provider and can be retrieved from HCP Vault Secrets.

4. On day 60, the process is repeated again. The new secret version (v3) is now the latest active version. Since the secret was configured to maintain two active versions, the initial secret version (v1) is now revoked in the third party provider and marked inactive in HCP Vault Secrets.

If required, you can manually rotate the secret prior to the next rotation interval. Care should be taken with this endpoint because it could cause the oldest secret version to be revoked unexpectedly early.

Manually rotating the secret prior to the next rotation interval will reset the rotation interval. For example, if the rotation interval is set to 30 days and you manually rotate the secret on day 15, the next automatic rotation will occur 30 days from the manual rotation or 45 days from when the secret was created.