What is the best way to manage production secrets?
Use AWS Secrets Manager for production (encrypted at rest, IAM-controlled, audit trail, auto-rotation). Use .env with restricted permissions (chmod 600) for staging. Use .env for development. Never commit any .env to Git. Rotate secrets regularly.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in Production Secrets Management Strategy From .env to AWS Secrets Manager
Support multiple JWT secrets during rotation: verify tokens with any of the old and new secrets, but sign new tokens with the new secret. After 7 days (token expiry), remove the old secret. Users with old tokens stay logged in until their token expires.
Export from Secrets Manager, encrypt with GPG (gpg --cipher-algo AES256), and store in an S3 bucket with KMS encryption. Store the GPG passphrase separately (e.g., in a password manager or separate KMS key). Test restoration periodically.
Secrets Manager can automatically rotate database credentials on a schedule (e.g., every 30 days). It uses a Lambda function to update the password in both the database and the secret. Your app retrieves the new credentials on the next startup or reconnect.
Still have questions?
Browse all our FAQs or reach out to our support team
