Competencies: DevSecOps > Secrets Management

Secrets Management

Body of Knowledge

Topic	Description	Relevance	Career Tracks
Secrets Management Fundamentals	Secure storage, access control, rotation, auditing, dynamic secrets, encryption-as-a-service principles.	Critical	DevSecOps, Security Engineer, Platform Engineer
HashiCorp Vault	Architecture, secrets engines, auth methods, policies, tokens, leases, response wrapping, HA.	Critical	DevSecOps, Platform Engineer
Vault PKI Engine	Certificate authority, intermediate CAs, certificate issuance, TTLs, CRL, OCSP, auto-rotation.	High	DevSecOps, Security Engineer, PKI Administrator
Vault SSH-CA	Host and client certificate signing, principals, time-limited access, key rotation.	High	DevSecOps, Security Engineer
AWS Secrets Manager/Parameter Store	Secret storage, rotation, cross-account access, integration with Lambda and ECS.	High	DevSecOps (AWS), Cloud Engineer
Azure Key Vault	Secrets, keys, certificates, managed identity access, RBAC, soft delete.	Medium	DevSecOps (Azure), Cloud Engineer
age Encryption	Modern file encryption, recipients, identity keys, SOPS integration, streaming.	High	DevSecOps, Systems Administrator
SOPS	Encrypted files in git, AWS KMS/GCP KMS/Azure KV/age/PGP backends, edit workflow.	High	DevSecOps, Platform Engineer
External Secrets Operator	Kubernetes external secrets, provider integration, secret sync, refresh intervals.	High	Platform Engineer, DevSecOps
gopass/pass	CLI password manager, git backend, team sharing, GPG/age encryption, shell integration.	Medium	Systems Administrator, DevSecOps
SSH Key Management	Key generation, distribution, Vault SSH-CA, FIDO2 keys, rotation strategies, agent forwarding.	Critical	Systems Administrator, Security Engineer

Topic

Description

Relevance

Career Tracks

Secrets Management Fundamentals

Secure storage, access control, rotation, auditing, dynamic secrets, encryption-as-a-service principles.

Critical

DevSecOps, Security Engineer, Platform Engineer

HashiCorp Vault

Architecture, secrets engines, auth methods, policies, tokens, leases, response wrapping, HA.

Critical

DevSecOps, Platform Engineer

Vault PKI Engine

Certificate authority, intermediate CAs, certificate issuance, TTLs, CRL, OCSP, auto-rotation.

High

DevSecOps, Security Engineer, PKI Administrator

Vault SSH-CA

Host and client certificate signing, principals, time-limited access, key rotation.

High

DevSecOps, Security Engineer

AWS Secrets Manager/Parameter Store

Secret storage, rotation, cross-account access, integration with Lambda and ECS.

High

DevSecOps (AWS), Cloud Engineer

Azure Key Vault

Secrets, keys, certificates, managed identity access, RBAC, soft delete.

Medium

DevSecOps (Azure), Cloud Engineer

age Encryption

Modern file encryption, recipients, identity keys, SOPS integration, streaming.

High

DevSecOps, Systems Administrator

SOPS

Encrypted files in git, AWS KMS/GCP KMS/Azure KV/age/PGP backends, edit workflow.

High

DevSecOps, Platform Engineer

External Secrets Operator

Kubernetes external secrets, provider integration, secret sync, refresh intervals.

High

Platform Engineer, DevSecOps

gopass/pass

CLI password manager, git backend, team sharing, GPG/age encryption, shell integration.

Medium

Systems Administrator, DevSecOps

SSH Key Management

Key generation, distribution, Vault SSH-CA, FIDO2 keys, rotation strategies, agent forwarding.

Critical

Systems Administrator, Security Engineer

Personal Status

Topic	Level	Evidence	Active Projects	Gaps
HashiCorp Vault PKI / SSH-CA	Advanced	Vault PKI backend issuing 802.1X client certs; Vault SSH-CA signing host and client keys; auto-rotation, TTL management, CRL publishing	Secrets Vault	No Vault Enterprise features (namespaces, Sentinel policies)
Secrets Management Fundamentals	Advanced	Vault for dynamic secrets, age encryption for dotfiles, gopass for personal credentials; CLAUDE.md enforces secrets-never-surface invariant	Secrets Management, dots-quantum	No cloud KMS (AWS KMS, Azure Key Vault), no external secrets operator for k8s
age Encryption	Advanced	age for SSH config encryption, dotfile secrets, backup encryption; recipients file management, identity key rotation; enforced via CLAUDE.md invariant	Secrets Management, dots-quantum	No age plugins, no hardware-backed age keys
gopass	Advanced	Personal credential store — hierarchical secrets, team sharing model, git-backed sync, gpg + age backends; integrated into shell workflow	PRJ-2026-03-gopass-personal-docs: Secure Credential Generator	No gopass in team/enterprise context, no browser integration
SSH Key Management	Advanced	Vault SSH-CA for signed keys; per-host key pairs; ssh-agent forwarding; ProxyJump chains; age-encrypted SSH config tracked in git	Secrets Management, SSH Security Reference	No FIDO2/ed25519-sk keys, no certificate-based SSH at enterprise scale

Topic

Level

Evidence

Active Projects

Gaps

HashiCorp Vault PKI / SSH-CA

Advanced

Vault PKI backend issuing 802.1X client certs; Vault SSH-CA signing host and client keys; auto-rotation, TTL management, CRL publishing

Secrets Vault

No Vault Enterprise features (namespaces, Sentinel policies)

Secrets Management Fundamentals

Advanced

Vault for dynamic secrets, age encryption for dotfiles, gopass for personal credentials; CLAUDE.md enforces secrets-never-surface invariant

Secrets Management, dots-quantum

No cloud KMS (AWS KMS, Azure Key Vault), no external secrets operator for k8s

age Encryption

Advanced

age for SSH config encryption, dotfile secrets, backup encryption; recipients file management, identity key rotation; enforced via CLAUDE.md invariant

Secrets Management, dots-quantum

No age plugins, no hardware-backed age keys

gopass

Advanced

Personal credential store — hierarchical secrets, team sharing model, git-backed sync, gpg + age backends; integrated into shell workflow

PRJ-2026-03-gopass-personal-docs: Secure Credential Generator

No gopass in team/enterprise context, no browser integration

SSH Key Management

Advanced

Vault SSH-CA for signed keys; per-host key pairs; ssh-agent forwarding; ProxyJump chains; age-encrypted SSH config tracked in git

Secrets Management, SSH Security Reference

No FIDO2/ed25519-sk keys, no certificate-based SSH at enterprise scale