Secrets Management

0%
Theory
Quiz

    Fundamentals & Classification

    • What is a "secret" in the context of software systems, and how does it differ from ordinary configuration data?

      Junior
    • What is secrets management, and why is it important for securing sensitive information in a DevOps environment?

      Junior
    • Describe the typical lifecycle of a secret, from generation to revocation.

      Junior
    • What are the fundamental security concerns that necessitate storing sensitive data like passwords or tokens as secrets?

      Junior
    • Explain the concept of a secret in a secrets manager, including how secrets are stored and managed.

      Junior
    • What is the difference between static and dynamic secrets?

      Junior
    • Why does secure secret generation matter, and what makes a strong, high-entropy generated secret compared to a human-chosen one?

      Junior
    • How do you decide which pieces of configuration should be treated as secrets versus ordinary config, and what are the pitfalls of the 12-factor 'config in the environment' approach for secrets?

      Mid
    • Explain the different types of secrets you need to govern and their varying risk profiles and recommended rotation frequencies.

      Senior

    Access Control Principles

    • What is the Principle of Least Privilege, and how does it apply to secrets management?

      Junior
    • Why should secrets not be reused across development, staging, and production environments, and how does this limit blast radius?

      Junior
    • What is 'need-to-know' access for secrets, and how does it differ from or complement least privilege?

      Junior
    • Discuss the concept of "separation of duties" in the context of secrets management.

      Mid
    • How does the principle of least privilege apply to secrets management in containerized environments, and why should secrets not be accessible to all containers?

      Mid
    • Describe your approach to secrets management across development, staging, and production environments.

      Mid
    • How does modern authentication shift focus from "What do you have?" to "Who are you?" in the context of machine identity for secrets access?

      Senior
    • How do you establish approval and policy workflows for accessing and managing secrets?

      Senior

    Least Privilege & Blast Radius

    • What are dynamic secrets and short-lived credentials, and why are they considered a best practice?

      Mid
    • How do dynamic secrets help mitigate the risk of secret leaks?

      Mid
    • Why are short-lived secrets fundamentally safer than long-lived ones, and what operational challenges does making everything short-lived introduce?

      Mid
    • Explain the concept of "blast radius containment" in the event of a secret compromise.

      Senior

    Exposure Risks & Anti Patterns

    • Why should secrets never be hardcoded in source code, committed to version control, or baked into container images, and what are the associated risks?

      Junior
    • What is "secret sprawl," what are its implications for an organization's security posture, and how can it be prevented?

      Mid
    • What are the risks associated with injecting secrets via environment variables, and how can these risks be mitigated?

      Mid
    • How can secrets be kept out of command-line arguments and application logs?

      Mid
    • How do you prevent secrets from being baked into Docker image layers?

      Mid
    • What are the common failure patterns in secrets management within organizations?

      Senior
    • What are the risks of secrets leaking into Terraform state files, and how can this be prevented?

      Senior
    • How can secrets be exposed through /proc, child processes, or crash/core dumps, and what mitigations reduce that exposure?

      Senior

    Secret Scanning & Leak Response

    • What steps should be taken immediately when a secret is accidentally leaked or committed to source control, and why is purging history alone insufficient?

      Mid
    • What is secret scanning, what tools or techniques are used for it, and when in the development lifecycle should scanning occur?

      Mid
    • Describe the process of credential revocation and emergency rotation after a secret leak.

      Mid
    • Why is purging a secret from Git history alone insufficient, and how do secret scanners handle scanning full repository history versus just new commits?

      Mid
    • What is push protection in secret scanning, and how does it prevent secrets from ever reaching a remote repository?

      Mid
    • How do entropy-based and pattern-based detection strategies differ in secret scanners, and how do you deal with false positives?

      Mid

    Kubernetes Secrets

    • What is the difference between a Kubernetes ConfigMap and a Kubernetes Secret, and why are Kubernetes Secrets considered a better, though not perfect, solution for sensitive data?

      Junior
    • What characterizes Kubernetes Secrets?

      Junior
    • How can external secret management systems like HashiCorp Vault or AWS Secrets Manager be integrated with Kubernetes for more robust secret handling?

      Mid
    • Explain the security implications of Kubernetes Secret objects being base64-encoded by default rather than encrypted, and what measures can enhance their security at rest.

      Mid
    • What are the common pitfalls or misconceptions when using Kubernetes Secrets?

      Mid
    • How can access to Kubernetes Secrets be restricted using RBAC?

      Mid
    • Why should Kubernetes Secrets not be used directly in production?

      Mid
    • What is the CSI Secrets Store driver, and how does it allow secrets from external providers to be mounted into pods as volumes?

      Mid
    • How do external secret management systems like External Secrets Operator or Sealed Secrets address the limitations of native Kubernetes Secrets?

      Senior
    • What are the security concerns with storing sensitive information directly in Kubernetes Secret objects, and what are alternative, more secure methods for injecting secrets into pods?

      Senior
    • How does the External Secrets Operator synchronize secrets from an external store into Kubernetes, and what are the security implications of the synced copy living in etcd?

      Senior

    Hashicorp Vault

    • What are the essential components or key features of a dedicated secrets management system or vault?

      Junior
    • What can typically be stored in a HashiCorp Vault, and what are its capabilities beyond simple key-value storage?

      Junior
    • What is the concept of secret versions in Vault?

      Junior
    • What is the significance of the Vault token?

      Junior
    • What is the difference between authentication and authorization in the context of Vault?

      Junior
    • Explain the purpose of different types of secret engines in HashiCorp Vault.

      Mid
    • How does Vault store its data?

      Mid
    • What are Namespaces in Vault?

      Mid
    • What are policies in Vault?

      Mid
    • Discuss the conceptual architecture of HashiCorp Vault, including secret engines, authentication methods, and policies.

      Senior
    • What are the limitations or operational challenges often associated with deploying and managing a self-hosted secrets management solution like HashiCorp Vault at scale?

      Senior
    • Which tools enhance HashiCorp Vault for encryption, and what is the role of KMS and the Transit engine?

      Senior

    Vault Sealing & Key Quorum

    • How does HashiCorp Vault handle its own master key and the "seal/unseal" process?

      Senior
    • What is Shamir's Secret Sharing, and how is it used to distribute Vault unseal keys among multiple key holders?

      Senior
    • What is auto-unseal, how does it differ from manual unsealing with a key quorum, and what are the security tradeoffs of delegating unseal to a cloud KMS?

      Senior

    Cloud Secret Managers

    • Explain how cloud secret managers such as AWS Secrets Manager, GCP Secret Manager, and Azure Key Vault provide centralized secret storage and management.

      Junior
    • How are secrets stored in a cloud secrets manager?

      Junior
    • What are the best practices for securing secrets in a cloud secret manager, and how can you ensure sensitive information remains protected?

      Mid
    • Compare and contrast AWS Secrets Manager and AWS Systems Manager Parameter Store for secrets management, and when would you use one over the other?

      Mid
    • What problems do dedicated secret management solutions like HashiCorp Vault or AWS Secrets Manager aim to solve, and what value do they add?

      Mid
    • How can you access secrets stored in a cloud secrets manager from your applications and services securely?

      Mid
    • How do SaaS secret managers like Doppler or 1Password fit into a secrets management strategy, and what tradeoffs come with a third-party managed store?

      Mid

    Key Management & Encryption

    • How does a secrets vault typically secure sensitive data at rest, and what does encryption at rest for secrets mean?

      Mid
    • What is the difference between AWS Key Management Service (KMS) and AWS Secrets Manager in terms of encryption and access control for stored secrets?

      Mid
    • What is the role of a Hardware Security Module (HSM) in a secrets management solution?

      Mid
    • What are the key objectives of key management in a data protection plan?

      Mid
    • How can you manage and rotate encryption keys in Vault?

      Mid
    • How do you handle secrets management and encryption at rest to ensure secure storage of sensitive data like passwords and API keys?

      Mid
    • What is the difference between a Customer Master Key (CMK) and a Data Encryption Key (DEK) in the context of secrets management and encryption?

      Mid
    • What is the role of a Key Management Service (KMS) in a secure architecture, particularly concerning secrets management?

      Mid
    • Explain the concept of envelope encryption (DEK/KEK) and key hierarchies in the context of protecting secrets.

      Senior
    • Explain encryption as a service, specifically how it relates to configuring a transit secret engine, encrypting/decrypting secrets, and rotating encryption keys.

      Senior
    • How do you approach securing data in multi-cloud environments, specifically regarding key management?

      Senior
    • How do KMS key policies and IAM policies work together to control access to secrets and encryption keys?

      Senior
    • What are the differences between symmetric and asymmetric CMKs in AWS KMS, and when would you use each for secrets protection?

      Senior
    • How does key rotation affect previously encrypted data when using a KMS?

      Senior

    Secret Rotation

    • What is secret rotation, why is it a crucial security practice, and how often should secrets be rotated?

      Junior
    • How do "leases" and "TTLs" contribute to the security of secrets?

      Mid
    • Explain strategies for performing secret rotation without downtime, such as versioning, dual/overlapping credentials, or graceful rollover.

      Senior
    • What happens if an application is using an expired secret, and how should applications be designed to handle secret rotation gracefully without downtime?

      Senior
    • How does an automated rotation function work, and how can you customize it to meet specific secret rotation requirements?

      Senior

    Dynamic & Short Lived Credentials

    • Explain how credential types are used to securely manage sensitive data like SSH keys, API tokens, and passwords.

      Mid
    • How do you use API keys for system integrations, and what security considerations are important?

      Mid
    • How can dynamic SSH credentials or an SSH secrets engine be used to manage SSH access without distributing long-lived private keys?

      Senior
    • How do you migrate an organization from long-lived static secrets to dynamic, short-lived credentials without disrupting running services?

      Senior

    Workload Authentication & Secret Zero

    • Which authentication methods would you use to authenticate a workload with a secret vault using OIDC or a JWT?

      Mid
    • Which authentication methods would you use to authenticate a workload with a secret vault using a Kubernetes Service Account Token?

      Mid
    • How can OIDC-federated short-lived cloud credentials be used in CI/CD pipelines to enhance security compared to long-lived API keys?

      Senior
    • Explain the "secret zero" problem in secrets management, particularly in cloud-native applications, and why protecting secret zero is a primary concern.

      Senior
    • Explain the "Pull Mode" in authentication methods for secrets retrieval, such as when a SecretID is fetched from an AppRole.

      Senior
    • Explain the "Push Mode" in authentication methods for secrets retrieval, such as when a custom SecretID is set against an AppRole by the client.

      Senior
    • How can the "secret zero" problem be addressed or mitigated?

      Senior
    • How do Zero Trust architectures help mitigate the 'Secret Zero' problem?

      Senior
    • What is workload identity (e.g., SPIFFE/SPIRE), and how does giving a workload a verifiable identity change how it authenticates to a secret store?

      Senior

    Secret Delivery & Injection

    • Explain the difference between "pull" and "push" models for secret distribution to applications.

      Mid
    • How does a sidecar or agent-based injection pattern (e.g., Vault Agent with auto-auth and templating) deliver secrets to an application, and what are its advantages over the app calling the secrets API directly?

      Mid
    • What role can init containers play in fetching and preparing secrets for an application, and how does that differ from a long-running sidecar?

      Mid
    • What is the difference between mounting secrets as files on tmpfs versus writing them to disk, and why does tmpfs matter for secret safety?

      Mid
    • What does it mean to template secrets into a configuration file at runtime, and what risks must you manage when rendering secrets into templates?

      Mid
    • Explain various methods applications use to obtain secrets at runtime securely and discuss the trade-offs of each (environment variables, mounted files, sidecar agents, SDKs).

      Senior
    • What are the tradeoffs of caching secrets in application memory, and how do you balance availability against staleness and exposure risk?

      Senior

    Cicd & Gitops Secrets

    • Explain the concept of "masked" or "protected" variables in CI/CD systems.

      Junior
    • How do you handle secrets in a CI/CD pipeline to prevent them from being exposed in logs, artifacts, or source code?

      Mid
    • What is helm-secrets and how does it enable encrypting secret values within Helm charts for GitOps workflows?

      Mid
    • How do Docker and Docker Compose secrets work, and how do BuildKit build secrets let you use a secret during an image build without baking it into a layer?

      Mid
    • How do Sealed Secrets work cryptographically, and why does the asymmetric encryption model make them safe to commit to a Git repository?

      Mid
    • How do you manage secrets in a GitOps workflow where configurations are stored in Git, using tools like SOPS or git-crypt?

      Senior

    Certificate & Pki Management

    • Explain the role of automated certificate issuance and renewal (e.g., ACME, cert-manager) in a secrets management strategy.

      Mid
    • How do you manage the lifecycle of TLS private keys and certificates, including issuance, storage, rotation, expiry monitoring, and revocation?

      Senior
    • How does the Vault PKI secrets engine let you issue and manage short-lived certificates, and what advantage does that offer over long-lived TLS certs?

      Senior
    • How should code-signing keys be managed and protected as secrets, given their high blast radius if compromised?

      Senior
    • How are mTLS credentials (client certificates and keys) managed as secrets that must be issued, distributed, rotated, and revoked?

      Senior
    • How do certificate revocation mechanisms like CRLs and OCSP fit into managing the lifecycle of TLS certificates as secrets?

      Senior

    Governance Auditing & Resilience

    • How do you handle secrets in a DevSecOps/DevOps environment?

      Mid
    • How do you audit and monitor secret activity in a secrets management system, and what services or strategies can be used for tracking changes and access?

      Mid
    • What is a secret inventory, and why is knowing where all your secrets live essential to managing them?

      Mid
    • What is break-glass access to secrets, and how do you design an emergency access procedure that remains secure and auditable?

      Senior
    • How do you approach disaster recovery and backup for a secrets management system without creating new exposure of the secrets?

      Senior
    • What challenges arise when replicating or synchronizing secrets across multiple regions or availability zones, and how do you keep them consistent and secure?

      Senior