Automate secret generation and rotation with OCI Secret Management

February 12, 2024 | 3 minute read
FREDERICK BOSCO
Product Manager
Text Size 100%:

In today’s cloud-driven landscape, protecting sensitive data, such as API keys, passwords, and encryption keys, is vital. Oracle Cloud Infrastructure (OCI) Secret Management offers a robust and secure solution for storing, managing, and accessing these types of secrets. It provides centralized storage protected by hardware security modules (HSMs) and granular access control to help ensure the security and integrity of your secrets. This option is better than embedding unencrypted secrets directly within your applications because it helps reduce the attack surface and improve an application’s overall security posture.  

Automatic secret generation and rotation

We’re pleased to announce the general availability of automatic secret generation and automatic secret rotation features in OCI Secret Management! Now, you no longer need to take the burden and responsibility of using your own scripts to manage the secret generation and rotation. Instead, the Oracle Cloud Console and APIs, such as CreateSecret and RotateSecret, offer efficient ways to create and manage your secrets lifecycle from creation to rotation and deletion.

With automatic secret generation, we support three types: Passwords, Secure Shell (SSH) keys, and random bytes. We also provide templatization during generation. Templatization enables you to store Java Script Object Notation (JSON) blobs with placeholders for secrets that are automatically generated for you. With automatic rotation, you can set intervals from 1–12 months. This feature integrates with the Autonomous Database and Functions services, allowing seamless rotation of secrets used in Autonomous Database or function code. Your applications begin using the new secret immediately. In OCI Functions, you can easily rotate any credential and execute code as part of the rotation process. Automatic rotation is also available for manually created secrets.

Why automate?

Automation offers the following benefits:

  • Enhanced security: Regularly rotating secrets helps minimize the impact of compromised credentials, which can reduce the likelihood of data breaches.
  • Operational efficiency: Automating mundane tasks, such as secret generation and rotation, frees up your valuable time for more strategic initiatives.
  • Helps with compliance: Many compliance regulations mandate regular secret rotation, and automation aids in consistent adherence.
  • Reduced human error: Automating repetitive tasks reduces the possibility of human mistakes, further bolstering security.

Automatic secret management supports the following operations:

  • Secret generation: As part of creating a secret, you now have the flexibility to automatically or manually create secrets. Automation creation is the default. You can create several types of secrets, such as passwords (including passwords that meet our Databases requirements), SSH keys, and random bytes.
  • Storage: Whether created automatically or manually, secrets are stored in an encrypted vault, using HSMs for added protection.
  • Rotation scheduling: You now have the flexibility to rotate immediately or define a rotation schedule, such as monthly, to automatically generate secrets. You must specify the target applications that uses these secrets so that rotation is done from the application perspective.
  • Edit secret generation and rotation: If you need to revisit your choices regarding rotation interval or change the application associated with an automatically rotated secret, you can do so in the Oracle Cloud Console or through the UpdateSecret API.
  • Notification and auditing: Receive notifications of successful rotations and maintain detailed audit logs for compliance purposes.

Pricing and limits

The OCI Secret Management service is part of the OCI Free Tier, so you can create and use secrets without incurring any charges. However, because your secrets are protected by keys created in OCI Key Management offering, charges can apply based on the type of vault and keys you create. For example, while virtual vaults with software keys are free, using HSM keys involves a minimal capacity fee.

This release doesn’t affect secret limits. You can still have 5,000 secrets per tenancy and 30 active secret versions per secret, each with a maximum size of 64 KB.

Next steps

OCI Secrets Management provides a centralized and secure platform for managing your secrets. The powerful duo of automatic secret generation and automatic secret rotation can eliminate the tedious and error-prone tasks of manually creating and rotating sensitive credentials. Read more about how the feature works in the technical documentation.

The best way to learn about it is to give it a try! Visit our website to learn more about Oracle Cloud Infrastructure Security products and sign up for a Free Tier account and to take a closer look.

FREDERICK BOSCO

Product Manager

I am the Product Manager for OCI Key Management service and OCI Secret Management service.


Previous Post

What’s new in OCI

OCI Cloudsters | 68 min read

Next Post


OCI sets records in STAC benchmarks for financial risk analysis

Martin Feyereisen | 4 min read