2.6 KiB
Pattern: Secret Zero Avoidance
Status: reviewed Readiness target: RL3 production Primary owners: NetKingdom, Railiance platform
Problem
A secret manager cannot safely improve the platform if its bootstrap material becomes a larger unmanaged secret than the credentials it is meant to protect.
Context
Use this pattern when introducing OpenBao, encrypted Git secrets, emergency bundles, age/SOPS bootstrap material, or recovery ceremonies.
Forces
- The platform needs an initial trust anchor.
- Operators need recoverability, but ordinary workloads must never use platform-root material.
- GitOps needs reproducible configuration, but secret plaintext does not belong in repositories.
- Emergency access must exist without becoming normal operating access.
Solution
Separate bootstrap trust from runtime secret authority. Use encrypted bootstrap material only for installation and recovery, then transfer ordinary secret issuance, rotation, audit, and lease tracking to OpenBao.
Implementation Sketch
- Store bootstrap and recovery material in encrypted form with explicit custody.
- Require a documented ceremony for unseal, restore, and emergency recovery.
- Move runtime workloads to OpenBao-issued or brokered secrets.
- Keep root/recovery material out of normal deployment paths.
- Record every break-glass or bootstrap use as a review event.
Failure Modes
| Failure | Mitigation |
|---|---|
| Bootstrap root token reused by workloads | prohibit root material in runtime manifests |
| Encrypted secret repository becomes undocumented | maintain owner, recipient, and rotation inventory |
| Recovery ceremony untested | run restore and unseal drills |
| Emergency bundle becomes daily admin path | require post-event review and replacement |
Related Capabilities
- Secrets, keys, and credentials.
- Security governance and production readiness.
- Incident response and recovery.
- Observability, detection, and audit.
Maturity
Reviewed. NetKingdom credential and OpenBao architecture already anchor the pattern; operational drills are still needed before canonical status.
Verification
- Runtime workloads do not reference bootstrap root material.
- OpenBao audit is enabled before production use.
- Recovery and unseal steps are documented and tested.
- Emergency access events produce reviewable records.
Research Basis
Seeded by encrypted Git secret, central secrets management, break-glass, and incident recovery requirements in the initial exploration.
References
- NetKingdom credential-management standard.
- NetKingdom recursive platform identity/security architecture.
- Railiance OpenBao platform secrets service.