OpenSSL: Secrets Life Cycle
11 min readOct 17, 2020
The Generic Secret Life Cycle
[0] Entropy test
When a secret is generated, the RNG must 1st pass the entropy test, and have the test logged for the ‘key birth certificate’. Any error or failure must also be logged.[1,2] Escrow and storage
Assuring key generation sanity, i.e. it passes the entropy test during generation, the secret may be escrowed. The secret is set to a unique use with a mortality lease and terms of use. If it is a key, it is assigned and to be subjected to certain cryptogram and protocol. It would be ciphered by KEK. If it is set for frequent availability, i.e. in a key cache, the key cache must be protected. The secrets-at-rest (under storage key) and secrets-in-transit (under transport key) adheres to cryptogram and protocol that is deemed safe to-date.[2] Secret agreement
Secret Synch system monitors and orchestrates the longevity of secrets across the network. When the Secret Synch system detects the mortality of a secret, it should revoke, rotate, refresh or renew with reviewed terms.[4] Compromise, recovery
In the case of a suspected secret compromise and/or service suspension, data erasure is required from the cache. If the compromise is confirmed to be a false negative, recovery from escrow is based on a need basis. It is recommended to refresh and rotate the secret…