Best Practices for Using a Secrets Manager

The following best practices for using a secrets-manager integration will ensure the highest levels of security for your system-level secrets. For more information about secrets management, see Secrets Management.

Rotate your secrets occasionally 

We recommend rotating your secrets on a regular basis. Rotation is the process of periodically updating a secret. When you rotate a secret, new credentials replace the old credentials. To ensure minimal downtime, we recommend including a restart of the Hyperscience application in your procedures for scheduled secrets rotation.

If you use Hyperscience in an environment with high security requirements where secrets need to be automatically rotated on a specific date or time, contact your Hyperscience representative for more information on setting up secrets rotation.

Protect your credentials on disk

Depending on your on-premises or private cloud environment, to authenticate with your secrets manager, you may need to store a single, unencrypted password or API key on disk. We suggest applying additional security controls at the server and network levels to protect your credentials on disk and mitigate unauthorized access. These additional security controls are recommended by the secrets-management providers. For example, many secrets-management providers are able to lock down an API key or an account to a specific IP address. Thus, you can prevent access from other machines. In the case of private clouds such as AWS, additional credentials may not be necessary, as AWS comes with integrated Identity and Access Management (IAM). 

If you use Hyperscience in an environment with strong security requirements, contact your Hyperscience representative for workarounds for this bootstrap credential.

Follow the principle of least privilege (PoLP)

We recommend following the principle of least privilege (PoLP) when granting access to the primary credential used for retrieving secrets. Hyperscience should only have access to retrieve the necessary credentials for running the application and not all available credentials.

Delete your secrets from the “.env” file

If you’re moving away from storing secrets in the “.env” file to storing secrets in a secrets manager, you can safely delete your secrets from the “.env” file. Our integration will send you confirmation of whether you’ve successfully fetched the secrets from the secrets manager. If you’ve successfully fetched the secrets, then you can safely delete them from the “.env” file.