Skip to content
2 min read

Secrets management

Systematic hygiene: nothing in plain text in Git, nothing in plain text in the database, a vault as the source of truth.

SecureMaintainablePrivate

Context / need

A service platform means dozens of credentials: database passwords, API tokens, registrar API keys for TLS. The risk is not exotic: a secret committed by mistake, an environment variable leaking into a log or a docker inspect, a token stored in plain text on the server.

Constraints

Decision & why

Rather than heavy tooling, systematic hygiene, applied everywhere.

Accepted tradeoff

No centralized server-side secrets manager (Vault or sops/age). At the scale of a single maintainer, file discipline and the vault cover the need without adding one more critical component. If the platform grows (several operators, automatic rotation), this choice will be revisited.

Outcome

Posture: audit, find, fix

Hygiene is not a state, it is a practice. Revisit the existing setup regularly, look for stray secrets (Git history, configurations, logs), fix, and revoke whatever was exposed, even briefly. A leaked secret stays compromised until it is replaced.

A lived example, July 2026. A voluntary security audit of the platform’s repositories revealed a WireGuard private key committed in plain text in a docker-compose, since the repository’s first commit, meaning several weeks of potential exposure. Doctrine applied: an exposed secret is a compromised secret. The key was removed from the file, then made permanently obsolete (the VPN it served was decommissioned). And since Git history keeps everything, the publication rule was hardened: a repository made public starts from a fresh history.

The audit remains manual today; its tooling (automated history scanning, pre-commit hooks) is a roadmap project.