Security
Secrets management: multiple-choice review
Crux Multiple-choice synthesis across the secrets unit — leak remediation, the maturity ladder, dynamic short-lived credentials, envelope encryption, and least privilege under real incident pressure.
Your altitude — climbing toward senior
ZeroJuniorMiddleSenior
You are at senior altitude — in orbitSix questions that cut across the whole unit. Each mirrors a call you make in a real incident — not a definition to recite, but a tradeoff to weigh while a key is live and an attacker may already hold it.
Goal
Confirm you can connect leak remediation, the maturity ladder, dynamic credentials, envelope encryption, and least privilege — the synthesis the lessons built toward.
Quiz
Completed
A live AWS key was committed to a public repo last week. A teammate deleted the line and force-pushed. What is the first action that actually ends the exposure?
Heads-up History rewriting is hygiene, not remediation. It cannot touch clones, forks, or scanner caches already holding the blob — the key stays valid until you revoke it at the source.
Heads-up Flipping visibility cuts the audience but not the risk: the key was public long enough for scanners to grab it (often within a minute), and it is still valid. Only rotation ends the exposure.
Heads-up Force-push only moves your remote's tip. Every existing clone and fork keeps the old commit, and you can never confirm no copy escaped. Deletion is not revocation.
Quiz
Completed
Your team stores production DB passwords in a .env file deployed to each server, kept out of git via .gitignore. Why is a secret manager the next rung, and what does it add that .env cannot?
Heads-up Out of git is the floor, not the goal. A .env is plaintext on every laptop and CI runner, readable by anyone with the box, with no access control and no audit of who read what — exactly what a manager fixes.
Heads-up The app still fetches and uses the value in plaintext to authenticate. The manager controls who may read it and records that they did — it does not make a usable secret unreadable.
Heads-up A manager storing a static value still holds a long-lived secret that must be rotated; it just centralises and audits the storage. Rotation only becomes automatic once you move to dynamic secrets.
Quiz
Completed
A service fetches a dynamic database credential from Vault with a one-hour TTL instead of a static password. What does the TTL actually buy you?
Heads-up Transit encryption is TLS's job and is separate from the TTL. The TTL governs how long a leaked credential stays valid, not whether it can be observed in flight.
Heads-up Connection limits are a pooling and quota concern. A short TTL bounds the lifetime of a leaked credential; it says nothing about connection count.
Heads-up Dynamic secrets automate the leaf credentials, but the engine's root and configuration credentials are still long-lived and must be rotated periodically — Vault even exposes a rotate-root operation for exactly this.
Quiz
Completed
A team encrypts a 2 MB config blob by sending the whole payload to KMS on every request and hits the KMS request-rate limit. What does envelope encryption change?
Heads-up Envelope encryption does not chunk the payload through KMS at all. KMS only wraps a small data key; the bulk data is encrypted locally with that key, so KMS never sees the payload.
Heads-up KMS stays in the loop — it protects the data key, and the key-encryption key never leaves KMS. You only move the bulk encryption local; the data key still must be unwrapped by KMS to decrypt.
Heads-up Envelope encryption is orthogonal to rotation. You still rotate the KMS key-encryption key; the win is that you re-wrap data keys rather than re-encrypting every payload.
Quiz
Completed
An auditor finds one shared API token used by twelve services, granting full admin scope. The reporting service was compromised and the attacker dropped a production table. Which principle would have contained this?
Heads-up Encryption at rest protects the stored value, not its use. The service decrypts and uses the token legitimately; the damage came from an over-broad scope and a shared identity, not from how the value was stored.
Heads-up Token strength stops guessing, not abuse of a stolen-but-valid credential. The breach used a real token whose scope was admin and which was shared — entropy is irrelevant to both failures.
Heads-up Scheduled rotation shortens exposure but does nothing about the over-broad scope or the inability to tell which of twelve services acted. Least privilege plus unique identities is what limits and attributes the damage.
Quiz
Completed
A six-year-old org has the same Stripe key pasted into four repos, three CI systems, two wikis, and a Slack thread, and nobody knows which copy any service reads. What is this called and what is the durable fix?
Heads-up Copies are not redundancy; they are uncontrolled duplicates. Each is an independent leak surface, and rotation must hit every copy or stale values break a service. Sprawl is a liability, not availability.
Heads-up Rotation makes sprawl worse: you must find and update every scattered copy at once or something breaks. The root cause is the duplication itself; centralising to one source is the fix, then rotation is a single safe operation.
Heads-up Encrypting twelve scattered copies leaves twelve copies and twelve places to rotate and audit. The defect is duplication across untracked locations, not that each copy is plaintext.
Recap
Across the unit the through-line is one decision chain: a secret that touches a repo is leaked, so rotation — not deletion — ends the exposure; the maturity ladder climbs from hardcoded to .env to a manager (encryption at rest, access control, audit) to dynamic short-lived credentials whose TTL is the blast radius; envelope encryption lets KMS protect data at scale by wrapping a local data key instead of your payload; least privilege with unique per-service identities contains and attributes a breach; and secret sprawl is cured by a single source of truth, not more copies. Every answer resolves back to bounding and attributing the damage before it happens.