Secrets Handling¶
10 cards — 🟢 3 easy | 🟡 4 medium | 🔴 3 hard
🟢 Easy (3)¶
1. What qualifies as a "secret" in infrastructure management?
Show answer
Passwords, API keys, tokens, certificates, SSH private keys, and database credentials. Anything that grants access to a system or service if exposed.2. Name three places where secrets should NEVER be stored.
Show answer
Git repositories (even private ones), Dockerfiles or container images, and plaintext config files on servers. Also avoid log files and environment variable dumps in error pages.3. What are three appropriate places to store secrets?
Show answer
Dedicated secrets managers (HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager), environment variables for runtime injection, and encrypted config files (Ansible Vault, SOPS).🟡 Medium (4)¶
1. How can you detect secrets that were accidentally committed to a Git repository?
Show answer
Use trufflehog (trufflehog git file://./my-repo --only-verified) to scan the entire git history for verified secrets. You can also use "git log --all -p | grep -iE 'password|secret|api_key|token'" for a quick manual check, though this produces more false positives.2. What is SOPS, and how does it protect secrets in config files?
Show answer
SOPS (Secrets OPerationS) encrypts config files in place while keeping the structure (keys) visible and only encrypting the values. This lets you version config files in git safely. Encrypt with "sops --encrypt --in-place config.yaml" and decrypt with "sops --decrypt config.yaml". SOPS supports AWS KMS, GCP KMS, Azure Key Vault, and PGP as encryption backends.3. How do you check when a TLS certificate expires, and why is automating certificate renewal important?
Show answer
Check with: openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates. Automating renewal (e.g., with certbot renew) is critical because expired certificates cause outages — services become unreachable when clients reject the expired cert.4. What is the recommended SSH key type to generate, and how do you deploy it to a server?
Show answer
Generate with "ssh-keygen -t ed25519 -C user@company.com" (ed25519 is shorter, faster, and more secure than RSA). Deploy to a server with "ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server". Use an SSH agent (ssh-add) to avoid typing the passphrase repeatedly.🔴 Hard (3)¶
1. Why is the most common attack vector leaked credentials rather than sophisticated exploits, and what does this imply?
Show answer
Because credentials in git repos, logs, or error pages are trivially discoverable with automated scanning tools. This means guarding secrets through proper storage, rotation, and leak detection (CI secret scanning) provides more security ROI than defending against zero-days. Prevention is about process and tooling, not exotic defenses.2. How do you verify the full TLS certificate chain for a domain, and what does an incomplete chain cause?
Show answer
Use "openssl s_client -connect example.com:443 -showcerts" to see every certificate in the chain from server cert to root CA. An incomplete chain (missing intermediate certificate) causes some clients to reject the connection with a certificate validation error even though the server cert itself is valid — different clients have different trust store behaviors.3. Why is a regular patching schedule better than reactive patching, and what role does vulnerability scanning play?