## Secrets Management Checklist - [ ] Audit current secrets usage: - [ ] HONCHO_TOKEN - [ ] HONCHO_DB_PASSWORD - [ ] POSTGRES_PASSWORD - [ ] CAMOFOX_API_KEY - [ ] CAMOFOX_ADMIN_KEY - [ ] SearXNG secret_key - [ ] Any API keys for external LLMs - [ ] Secret storage: - [ ] Remove all secrets from .env.example (already using placeholders) - [ ] Add .env to .gitignore (verify) - [ ] Implement secret management solution: - [ ] Option A: HashiCorp Vault - [ ] Option B: Docker Secrets (for Swarm) - [ ] Option C: SOPS + age/GPG for encrypted secrets in Git - [ ] Option D: Cloud provider secrets manager (AWS Secrets Manager, GCP Secret Manager, Azure Key Vault) - [ ] Option E: SOPS + age for GitOps (recommended for self-hosted) - [ ] Secret injection: - [ ] Docker Compose secrets (for Docker Compose deployments) - [ ] Environment variable injection at runtime - [ ] No secrets in Docker images - [ ] No secrets in docker-compose.yml - [ ] Secret rotation: - [ ] Document rotation procedures - [ ] Automated rotation for supported secrets - [ ] Rotation schedule (90 days for API keys, 30 days for DB passwords) - [ ] Secret scanning: - [ ] Add secret scanning to CI (truffleHog, git-secrets, gitleaks) - [ ] Add pre-commit hook for secret detection - [ ] Add secret scanning to CI pipeline - [ ] Documentation: - [ ] Document secret management procedures in docs/SECRETS_MANAGEMENT.md - [ ] Document rotation procedures - [ ] Document emergency rotation procedures - [ ] Add SOPS configuration (.sops.yaml) for encrypted secrets in Git
Secrets Management Checklist