Secret rotation 2026: password, API key, and certificate renewal discipline

[Aior]

Secret rotation neden gerekli?​

Bir secret (parola, API key, sertifika, signing key) ne kadar uzun yaşar, ihlal riski o kadar büyür. Eski çalışan rotation'ı, leak'lenen secret, brute force compromise — bunların hepsi rotation disipliniyle minimize edilir. AIOR olarak müşteri tarafına teslim ettiğimiz sistemlerde secret rotation otomatik veya planlı bir süreç olarak kurgulanır; ad-hoc bırakılmaz.

Rotation politikası — hangi sıklıkta?​

Her secret türünün farklı rotation cadansı vardır:

• Kullanıcı parolası — 90 gün ortalama, ancak NIST 2024 önerisi: ihlal şüphesi yoksa zorunlu rotation gerekmez (kullanıcı yorgunluğu yaratıyor).
• API key (internal) — 90 gün.
• API key (3rd party — Stripe, SendGrid) — yıllık veya policy değişikliğinde.
• Database password — 6 ay.
• SSL/TLS sertifikası — Let's Encrypt 90 gün auto-renew, ticari 1 yıl.
• SSH key — kullanıcı bazlı, çalışan ayrılırsa derhal revoke.
• Signing key (code/release) — yıllık veya breach indication'da.
• Encryption key (data-at-rest) — yıllık, key derivation hierarchy ile çocuk key'ler periyodik.

Secret management infrastructure​

Manual secret rotation çalışmaz. AIOR projelerinde tercih ettiğimiz tool'lar:

• HashiCorp Vault — self-hosted, kurumsal standart. AIOR'ın varsayılan tercihi.
• AWS Secrets Manager — AWS native, otomatik rotation built-in.
• Azure Key Vault — Microsoft ecosystem.
• Google Secret Manager — GCP native.
• Doppler — modern, developer-friendly SaaS.

Otomatik rotation pipeline​

İdeal rotation tamamen otomatik:

• Schedule trigger — cron veya event-driven.
• Yeni secret generate.
• Yeni secret deploy (config update veya hot reload).
• Eski secret hâlâ aktif — overlap window.
• Verification — yeni secret çalıştığını doğrula.
• Eski secret revoke.
• Audit log.

AIOR'da database password rotation Vault dynamic secrets ile otomatik — application yeni password'u her connection'da Vault'tan alır.

Zero-downtime rotation​

Service running iken rotation yapmak şart. AIOR pattern'leri:

• Dual-key support — uygulama hem eski hem yeni key'i kabul eder (transition window).
• Rolling deploy — her pod yeni secret ile başlar, eski secret'lar gradient termine olur.
• Read-write split — yeni secret yeni client'lar için, eski hâlâ aktif client'lar için.
• Health check — verification after rotation.
  

SSL/TLS sertifika rotation​

Let's Encrypt 2026'da yaygın, free, auto-renew destekli:

• Certbot veya acme.sh ile otomatik renewal.
• DNS-01 challenge wildcard sertifikalar için.
• Renew threshold 30 gün önce — sertifika gerçekten expire olmadan.
• Monitoring — Prometheus blackbox exporter ile expire date tracking.

AIOR'da müşteri hosting'lerinde Let's Encrypt + cPanel/DirectAdmin auto SSL standart.

Database credentials — dynamic secrets​

Static database password yerine her connection için dynamic credentials oluşturma:

• Vault Database Secret Engine.
• AWS RDS IAM authentication.
• Kısa lifecycle (saatler).
• Otomatik cleanup.

Bu yaklaşım static credential leak riskini büyük ölçüde azaltır.

Code release signing​

Software signing key'ler özel itina ister:

• Hardware Security Module (HSM) — physically secure.
• Air-gapped key generation.
• Multiple-party authorization — single point of failure yok.
• Audit trail.
• Key ceremony — major rotation'da formal process.

AIOR'da release signing key'leri HSM'de tutuyoruz; her release'de manuel onay zorunlu.

Compromise response — emergency rotation​

Bir secret compromise olduğunda hızlı reaksiyon kritik. AIOR'ın incident response runbook'ı:

• Hemen revoke — compromised secret derhal kapalı.
• New secret generate ve deploy.
• Audit log review — secret hangi sistemlere erişti?
• Affected service'leri restart.
• Customer notification gerekiyorsa.
• Post-mortem — neden compromise oldu, nasıl önlenir.

Audit ve compliance​

Secret rotation compliance için belge gerektirir:

• Rotation log — ne zaman, kim, hangi secret.
• Last rotation date izleme.
• Overdue rotation alarmları.
• Annual review.

GDPR, ISO 27001, SOC 2 gibi compliance frameworks rotation evidence ister.

Yaygın hatalar​

• Hard-coded secrets in code — git history'de kalır.
• Plain-text secret in config files.
• No rotation schedule — secrets yıllarca aynı kalır.
• Shared secrets across environments — staging ve production aynı.
• No revocation after employee departure.
• Backup'larda eski secret kopyaları.

Sonuç​

Secret rotation 2026'da modern güvenlik mühimmatının temel direklerinden biri. Doğru tool seçimi (Vault, cloud secret manager), otomatik rotation pipeline, zero-downtime pattern'ler ve emergency response disiplin ile production sistemleri güvende tutulur. AIOR olarak müşteri projelerinde secret rotation altyapısını standart paket halinde teslim ediyoruz. Sizin tarafınızda secret rotation manuel mi otomatik, ve ortalama secret yaşı kaç gün?

Why is secret rotation necessary?​

The longer a secret (password, API key, certificate, signing key) lives, the higher the breach risk. Rotation discipline minimises this — old employees, leaked secrets, brute-force compromises. On systems AIOR delivers to customers, secret rotation is set up as an automated or planned process; never left ad-hoc.

Rotation policy — at what cadence?​

Each secret type has a different rotation cadence:

• User password — 90 days on average, but NIST 2024 recommendation: no mandatory rotation unless breach suspected (user fatigue).
• API key (internal) — 90 days.
• API key (3rd party — Stripe, SendGrid) — yearly or on policy change.
• Database password — 6 months.
• SSL/TLS certificate — Let's Encrypt 90 days auto-renew, commercial 1 year.
• SSH key — per user, revoke immediately on departure.
• Signing key (code/release) — yearly or on breach indication.
• Encryption key (data-at-rest) — yearly, with key derivation hierarchy and periodic child keys.

Secret management infrastructure​

Manual secret rotation doesn't work. Tools we prefer on AIOR projects:

• HashiCorp Vault — self-hosted, enterprise standard. AIOR's default.
• AWS Secrets Manager — AWS native, automatic rotation built-in.
• Azure Key Vault — Microsoft ecosystem.
• Google Secret Manager — GCP native.
• Doppler — modern, developer-friendly SaaS.

Automated rotation pipeline​

Ideal rotation is fully automatic:

• Schedule trigger — cron or event-driven.
• Generate new secret.
• Deploy new secret (config update or hot reload).
• Old secret still active — overlap window.
• Verification — confirm the new secret works.
• Revoke old secret.
• Audit log.

At AIOR, database password rotation is automatic via Vault dynamic secrets — the application fetches a fresh password from Vault per connection.

Zero-downtime rotation​

Rotating while services run is mandatory. AIOR patterns:

• Dual-key support — application accepts both old and new keys (transition window).
• Rolling deploy — each pod starts with the new secret; old secrets terminate gradually.
• Read-write split — new secret for new clients; old still active for legacy clients.
• Health check — verification after rotation.
  

SSL/TLS certificate rotation​

Let's Encrypt is widespread, free, auto-renew capable in 2026:

• Automatic renewal via Certbot or acme.sh.
• DNS-01 challenge for wildcard certificates.
• Renew threshold 30 days early — before the certificate actually expires.
• Monitoring — expire-date tracking via Prometheus blackbox exporter.

On customer hosting at AIOR, Let's Encrypt + cPanel/DirectAdmin auto SSL is the standard.

Database credentials — dynamic secrets​

Instead of a static database password, generate dynamic credentials per connection:

• Vault Database Secret Engine.
• AWS RDS IAM authentication.
• Short lifecycle (hours).
• Automatic cleanup.

This approach substantially reduces the risk of static credential leakage.

Code release signing​

Software signing keys deserve special care:

• Hardware Security Module (HSM) — physically secure.
• Air-gapped key generation.
• Multiple-party authorisation — no single point of failure.
• Audit trail.
• Key ceremony — formal process on major rotation.

AIOR keeps release signing keys in an HSM; every release requires manual approval.

Compromise response — emergency rotation​

Fast reaction is critical when a secret is compromised. AIOR's incident response runbook:

• Revoke immediately — compromised secret killed.
• Generate and deploy a new secret.
• Audit log review — which systems did the secret access?
• Restart affected services.
• Notify customers if required.
• Post-mortem — why did the compromise happen, how to prevent.

Audit and compliance​

Secret rotation requires documentation for compliance:

• Rotation log — when, who, which secret.
• Last-rotation date tracking.
• Overdue rotation alerts.
• Annual review.

GDPR, ISO 27001, SOC 2 frameworks demand rotation evidence.

Common mistakes​

• Hard-coded secrets in code — stay in git history.
• Plain-text secrets in config files.
• No rotation schedule — secrets stay the same for years.
• Shared secrets across environments — staging and production identical.
• No revocation after employee departure.
• Old secret copies in backups.

Bottom line​

Secret rotation in 2026 is one of the pillars of modern security hardening. Right tool choice (Vault, cloud secret manager), automated rotation pipeline, zero-downtime patterns, and emergency response discipline keep production systems safe. AIOR delivers secret rotation infrastructure as a standard package on customer projects. Is your secret rotation manual or automatic, and what's the average secret age?