The point of secrets management is not a better place to hide a long-lived API key — it is to have fewer standing secrets and shorter-lived ones. A practical tour from .env hygiene to SOPS, Vault, dynamic credentials, Kubernetes reality, and workload identity that kills the "secret zero" problem.
Secrets
-
Secrets Management in 2026: From .env Files to Short-Lived, Identity-Based Credentials -
Vault Beyond Secrets: PKI, SSH CA, and Dynamic DB Credentials The parts of HashiCorp Vault that beat a key-value store — dynamic database credentials generated on demand, a PKI engine for short-lived certificates, an SSH CA, and transit encryption — and how to put them into production.
-
Secrets Rotation Without Downtime: Rotating Credentials in Live Systems Patterns for rotating database passwords, API keys, and TLS certificates in production systems with zero application restarts — covering the dual-credential pattern, dynamic secrets with Vault, automated certificate rotation, and the operational runbook for each scenario.
-
Secrets Management with HashiCorp Vault A practical guide to HashiCorp Vault — deploying it in production, using dynamic secrets, issuing certificates with the PKI engine, authenticating workloads with AppRole and Kubernetes auth, and integrating with CI/CD pipelines.