Secrets Management Policy
Owner: Anchor MSP Operations Lead Last reviewed: 2026-04-04
Purpose
Define how production secrets are stored, accessed, and rotated.
Scope
All secrets used by all systems under Anchor managed production. This includes API keys, database credentials, TLS certificates, encryption keys, and any other sensitive configuration.
Policy
- All production secrets are stored in Vault. No exceptions.
- Secrets are never stored in:
- Environment files (
.env) - Git repositories
- CI/CD variables at rest
- Config files on disk
- Slack messages, emails, or documents
- Environment files (
- Secrets are injected at runtime by Vault using service identity. Applications authenticate to Vault as a service, not as a person.
- Rotation schedule:
- API keys: Quarterly.
- Database credentials: Quarterly.
- TLS certificates: Auto-renewed.
- Access to secrets is scoped by service identity. A service can only read the secrets it needs. No service has broad access.
- All secret access is audited via the Vault audit log. The audit log is retained and reviewed.
- New secrets for a system are onboarded to Vault during the system onboarding process.
Exceptions
Emergency break-glass access to secrets is available to the Operations Lead. Break-glass access is logged, reviewed, and triggers a follow-up to determine why normal access was insufficient.