The Secret Revocation Rehearsal

Secrets get compromised. The rehearsal that proves you can revoke and rotate fast under pressure.

The scenario

A specific credential is suspected compromised. Question: how fast can you rotate?

Target: under 1 hour from suspicion to fully rotated.

The steps

1. Identify all places the secret is used.

2. Generate new secret.

3. Update consumers (config or restart).

4. Revoke old secret.

5. Verify with monitoring that all consumers transitioned.

Common gaps

Forgotten consumers: a script in someone's homedir using the old credential.

Hardcoded values: secrets in code that bypass the secret manager.