TLDR
Secrets management is the discipline of securely storing, rotating, auditing, and revoking sensitive credentials such as API keys, SSH keys, database passwords, tokens, and certificates. Without a centralized strategy, secrets sprawl silently across codebases, CI/CD pipelines, and cloud environments, creating critical breach vectors. This guide covers 10 proven best practices, a tool comparison, and step-by-step guidance for implementing secrets governance with JumpServer.
Table of Contents
- What Is Secrets Management?
- Why Secrets Management Fails in Most Organizations
- Types of Secrets You Need to Govern
- The Cost of Poor Secrets Management
- 10 Secrets Management Best Practices for 2026
- Secrets Management Tools Comparison
- How JumpServer Handles Secrets Management
- Compliance and Regulatory Requirements
- Common Anti-Patterns to Avoid
- Related Reading
1. What Is Secrets Management?
Secrets management is the centralized practice of controlling who can access which credentials, how those credentials are stored, how long they remain valid, and how their usage is audited. In modern enterprise environments, secrets no longer refer only to human passwords. They include the entire universe of machine-to-machine credentials that power automation, microservices, cloud infrastructure, and CI/CD pipelines.
A "secret" in this context is any piece of sensitive data that grants access to a system, service, or resource. This includes API keys, SSH private keys, database connection strings, OAuth tokens, TLS/SSL certificates, service account credentials, encryption keys, and third-party integration tokens.
As organizations scale from dozens of systems to hundreds of services across multi-cloud environments, managing secrets manually becomes operationally impossible and security-catastrophic. Secrets management provides the tooling and process framework to automate that lifecycle at scale.
2. Why Secrets Management Fails in Most Organizations
The most common failure pattern is not a technology gap but a process gap. Many organizations have adopted cloud vaults or password managers but still suffer from:
- Secrets sprawl: Credentials duplicated across multiple systems, repos, and configuration files
- No rotation policy: Static, long-lived secrets that never change even after personnel turnover
- Shared credentials: Multiple services or users sharing the same credential with no individual accountability
- Hardcoded secrets: API keys or passwords embedded directly in source code or Docker images
- No revocation workflow: When a developer leaves, their service credentials persist indefinitely
A 2025 GitGuardian report found that over 12.8 million secrets were exposed in public GitHub repositories in a single year, a 28% increase year over year. The vast majority of these were API keys and cloud access credentials.
The root cause is often a culture problem: developers prioritize shipping speed over secret hygiene, and security teams lack visibility into where secrets live.
3. Types of Secrets You Need to Govern
Not all secrets carry the same risk profile. Understanding the categories helps you prioritize your governance strategy:
| Secret Type | Common Location | Risk Level | Rotation Frequency |
|---|---|---|---|
| SSH private keys | Developer workstations, CI/CD agents | Critical | 90 days or less |
| API keys (cloud) | Config files, environment variables | Critical | 30-90 days |
| Database passwords | Application configs, secrets vaults | High | 30-60 days |
| OAuth tokens | App backends, service configs | High | Per session / 24h |
| TLS/SSL certificates | Load balancers, web servers | High | Before expiry (annually) |
| Service account passwords | Directory services, ITSM tools | High | 30-90 days |
| Encryption keys (KMS) | Key management systems | Critical | Annual or per policy |
| Third-party integration tokens | SaaS connectors, webhooks | Medium-High | 90 days |
| Internal application passwords | Microservice configs | Medium | 60-90 days |
Each secret type has a different lifecycle, exposure surface, and governance requirement. A mature secrets management program addresses all categories, not just the most obvious ones.
4. The Cost of Poor Secrets Management
The financial and operational consequences of secrets mismanagement are severe and well-documented:
- IBM Cost of a Data Breach Report 2025: The average global data breach cost reached 4.88 million, with nearly 9.5 million in the United States. Credential theft and leaked secrets are consistently among the top initial attack vectors.
- Uber (2022): A contractor's corporate VPN credentials were compromised. An attacker gained access to internal systems, found hardcoded admin credentials in script files, and escalated to full administrative access across the environment.
- CircleCI (2023): Malware on a developer's laptop captured a 2FA session token, allowing attackers to access customer secrets stored in the platform.
- Vercel (2026): A supply chain attack leveraged compromised CI/CD credentials to exfiltrate environment variables from thousands of customer deployments.
These incidents share a common thread: insufficient secrets governance enabled attackers to move laterally from an initial foothold to a high-value target with minimal resistance.
5. Ten Secrets Management Best Practices for 2026
Practice 1: Centralize Secrets in a Dedicated Vault
Never store secrets in configuration files, environment variable files committed to version control, spreadsheets, or shared document folders. Use a dedicated secrets vault such as HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, or an integrated PAM platform. Centralization ensures that secrets have a single source of truth, access can be audited, and rotation can be automated.
Practice 2: Eliminate Hardcoded Secrets from Source Code
Implement pre-commit hooks or CI pipeline scanning using tools like GitGuardian, Trufflehog, or Gitleaks to detect and block hardcoded secrets before they reach your repository. If a secret is found in a commit history, treat it as compromised immediately: revoke it, rotate it, and investigate the blast radius.
Practice 3: Enforce Least-Privilege Access to Secrets
Every application, service, and user should have access only to the secrets it explicitly requires. Use fine-grained access policies in your vault to restrict which secrets each identity can read or write. Avoid broad policies that grant access to secret namespaces rather than specific secrets.
Practice 4: Automate Secret Rotation
Static secrets are a liability. Any credential that does not change becomes more dangerous over time as it can be exfiltrated quietly and reused indefinitely. Implement automated rotation schedules with zero-downtime rotation workflows. For database credentials, this typically means a dual-credential pattern where both old and new credentials are valid during a brief overlap window.
Practice 5: Use Short-Lived Credentials Where Possible
Prefer ephemeral credentials over long-lived secrets. Modern cloud platforms support dynamic credential generation, where a service requests a credential, uses it for a specific task, and the credential automatically expires. AWS IAM roles, HashiCorp Vault dynamic secrets, and JIT access patterns all reduce the exposure window of any single credential to minutes instead of months.
Practice 6: Audit Every Secret Access Event
Every read, write, rotation, or revocation event against a secret should produce an immutable audit log entry. These logs are essential for incident response (understanding what an attacker accessed), compliance (demonstrating control to auditors), and anomaly detection (identifying unusual access patterns). Ensure logs are shipped to a SIEM or log aggregation platform that the secrets vault system itself cannot modify.
Practice 7: Scan Your Existing Codebase for Secret Leaks
Before implementing forward-looking controls, conduct a retrospective scan of your entire codebase, container images, CI/CD pipeline configurations, and infrastructure-as-code repositories. Assume that secrets are already exposed in your environment. Prioritize remediation based on the sensitivity and scope of each exposed credential.
Practice 8: Implement Secret Sprawl Detection
As organizations grow, secrets get duplicated across environments (dev, staging, production) and across tools (multiple Jenkins instances, multiple cloud accounts). Implement a discovery process that maps where secrets are used and flags unauthorized copies. PAM platforms with secrets management modules can provide this visibility across the enterprise.
Practice 9: Establish a Secret Revocation Runbook
When a secret is suspected to be compromised (or when a team member with secret access leaves), you need a fast, reliable revocation process. A revocation runbook documents: who to notify, how to revoke the credential, how to issue a replacement, how to verify all dependent services are updated, and how to confirm the breach window. Practice this runbook quarterly in tabletop exercises.
Practice 10: Integrate Secrets Management into Your CI/CD Pipeline
Secrets should never be passed as plaintext environment variables in CI/CD systems. Instead, integrate your CI/CD platform (GitHub Actions, GitLab CI, Jenkins, CircleCI) directly with your secrets vault. Use native integrations or sidecar patterns to inject secrets at runtime into build and deployment jobs without exposing them in logs or job configurations.
6. Secrets Management Tools Comparison
| Tool | Type | Hosted / Self-Hosted | Key Strength | Pricing Model |
|---|---|---|---|---|
| HashiCorp Vault | Dedicated secrets vault | Both | Flexibility, dynamic secrets, broad integrations | Open-source + Enterprise |
| AWS Secrets Manager | Cloud-native vault | Hosted (AWS) | Deep AWS integration, auto-rotation | Pay per secret/API call |
| Azure Key Vault | Cloud-native vault | Hosted (Azure) | Microsoft ecosystem, HSM support | Pay per operation |
| Google Secret Manager | Cloud-native vault | Hosted (GCP) | GCP-native, IAM integration | Pay per secret version |
| CyberArk Conjur | Enterprise PAM vault | Both | Enterprise PAM integration, compliance | Commercial |
| JumpServer (PAM) | Open-source PAM + credential management | Self-hosted / Enterprise | Unified PAM + session recording + secrets governance, 500k+ deployments | Free (Community) + Enterprise |
| Infisical | Developer-focused vault | Both | Developer UX, GitHub integration | Free tier + paid |
| 1Password Secrets Automation | Team/dev secrets | Hosted | Developer experience, CI/CD integrations | Per user/team |
The right tool depends on your infrastructure footprint, compliance requirements, and whether you need a standalone vault or a unified PAM solution that also governs human privileged access, session recording, and access certification.
7. How JumpServer Handles Secrets Management
JumpServer is an open-source Privileged Access Management platform with built-in credential governance capabilities. Rather than treating secrets management as a separate silo, JumpServer integrates credential storage, access control, session recording, and audit logging into a single platform, which is particularly valuable for enterprises that want to govern both machine-to-machine secrets and human privileged access under a unified policy framework.
Step-by-Step: Managing Credentials in JumpServer
- Log in to the JumpServer console at your instance URL with administrator credentials.
- Navigate to "Console" in the top navigation bar, then select "Asset Management" from the left sidebar.
- Click on "Credential Management" to access the centralized credential store.
- Click "Create" to add a new credential. Select the credential type (SSH Key, Username/Password, API Token, or Certificate).
- Fill in the credential name, associated asset or service, username, and the secret value. Enable "Automatic Password Change" if you want JumpServer to rotate the credential on a schedule.
- Set the rotation interval (e.g., every 30 days) and configure the notification settings for rotation events.
- Navigate to "Permission Management" and create an access rule that grants specific users or user groups access to this credential. Apply the principle of least privilege: grant access only to the specific assets this credential governs.
- Under "Audit" in the top navigation, go to "Session Records" to review all sessions where this credential was used. Each access event is logged with timestamp, user identity, source IP, and a full session recording where applicable.
- To revoke access immediately (e.g., when an employee offboards), return to "Permission Management," find the relevant access rule, and either delete it or set an expiration date.
- For automated rotation via API, use the JumpServer REST API endpoint for credential updates to integrate with your external secret rotation scripts or CI/CD pipelines.
This approach ensures that credentials are never exposed in plaintext to the end user during session establishment. JumpServer acts as a proxy, injecting credentials at connection time and recording the full session without the user ever seeing the underlying password or key.
8. Compliance and Regulatory Requirements
Secrets management is no longer a security best practice recommendation: it is an explicit requirement in most major compliance frameworks.
PCI DSS v4.0: Requirement 8 mandates unique credentials for each user and service account, with documented policies for managing shared credentials and periodic rotation schedules. Requirement 10 mandates audit logging of all access to cardholder data, which includes logging credential usage.
HIPAA: The Security Rule requires covered entities to implement access controls (unique identifiers for all users) and audit controls (hardware and software activity records). Shared or unrotated credentials create HIPAA audit failures.
SOC 2 Type II: The Availability and Confidentiality trust service criteria require demonstrating that credentials are managed, rotated, and access-controlled in a documented and consistently applied manner.
ISO/IEC 27001:2022: Annex A Control 5.17 (Authentication Information) explicitly requires policies for managing authentication information including passwords and keys, rotation schedules, and secure storage.
NIS2 (EU): Requires organizations in critical sectors to implement robust access management practices, including multi-factor authentication and credential lifecycle management for privileged accounts.
DORA (EU Financial Services): Requires financial entities to document and enforce ICT security policies covering credential management as part of their ICT risk management framework.
9. Common Anti-Patterns to Avoid
The "Vault as Archive" mistake: Teams add secrets to a vault but never rotate them or revoke access when team members change. The vault becomes a static archive rather than an active governance tool.
Per-developer vault instances: Individual developers managing their own vault instances creates fragmentation, no centralized audit trail, and inconsistent security policies.
Over-privileged service accounts: Creating a single "super" service account with access to all secrets in a namespace because it is easier to configure. Any compromise of this account grants full access to all secrets.
Manual rotation via tickets: Relying on ITSM tickets to trigger secret rotation creates delays, human error, and gaps in rotation coverage. Automate rotation wherever possible.
Secrets in Kubernetes ConfigMaps: Kubernetes Secrets objects are base64-encoded, not encrypted by default. Storing sensitive credentials in standard Kubernetes Secrets without additional encryption (Sealed Secrets, Vault Agent Injector, or External Secrets Operator) is a common and dangerous mistake.
No distinction between production and non-production secrets: Using the same credentials in development, staging, and production environments. A breach in a lower environment should never compromise production.
Related Reading
- What Is Privileged Identity Management (PIM)?
- SSH Key Management: Best Practices for Enterprise Security
- What Is a Bastion Host?
- Zero Trust Security for IT and DevOps Teams
- RBAC in Privileged Access Management
Start Governing Secrets with JumpServer
Effective secrets management is a prerequisite for enterprise security maturity. Whether you are starting with SSH key governance or building a unified PAM and secrets governance program across multi-cloud environments, the principles remain the same: centralize, rotate, audit, and enforce least privilege.
JumpServer provides an open-source, production-ready platform for managing privileged credentials alongside full session recording, access certification, and audit logging, all with over 500,000 deployments and 30,000 GitHub stars backing its reliability.
Start your free trial at jumpserver.com or explore the Community Edition on GitHub to see how JumpServer can eliminate secrets sprawl in your environment today.