Secret rotation

To create a configuration that is a secret and use RelFast to easily rotate it, follow the step-by-step instructions below. Please ensure that you have the necessary "Create Configuration" permissions, which are environment-specific, to perform this operation.

Instructions:

1. Refer to the "Create Configuration" page in the RelFast portal to understand how to create a new configuration.

2. To easily rotate a secret, the application needs to follow a specific pattern. Secrets should always be associated with an identifier key and value in the JSON representation.

3. The JSON representation of the secret should be as follows:

json code
"secrets": [{"key": "key1","secret": "My secret 1"},{"key": "key2","secret": "My secret 2"},// Add more keys and secrets as needed],"currentsecretkey": "key1"

1. Define the first configuration in RelFast for the secret identifier. This configuration will store the identifier key.

2. Define the second configuration in RelFast for the actual secret. Mark this configuration as secured to ensure it is stored in an encrypted vault.

3. Define a rule in RelFast to associate the key identifier with the corresponding secret value.

4. Enable both configurations to make them active.

5. Use the provided code as a sample to interact with the configurations in RelFast. This code will help you retrieve the current encryption key identifier and secret.

csharp code
// Grab the current encryption key identifier.var encryptionId = await _relFastClient.GetConfigurationValueAsync<string>(new ConfigurationGetRequest<string>()
{
    ConfigurationId = "39a23286-b56b-4838-894c-87267b9897c6",
    CacheIntervalInMilliSeconds = 0,
    EnableCaching = false,
    FallBack = "key1"
}, default);

var metadata = new Dictionary<string, string>();
metadata.Add("encryptionkeyidentifier", encryptionId); // Retrieved encryption identifier// Retrieve the secret using the encryption key identifier.var secret = await _relFastClient.GetConfigurationValueAsync<string>(new ConfigurationGetRequest<string>()
{
    ConfigurationId = "dcea34a2-26cd-4120-b752-e648df1a2253",
    CacheIntervalInMilliSeconds = 0,
    EnableCaching = false,
    FallBack = string.Empty,
    Metadata = metadata
}, default);

1. To rotate the secret, add a new alternative to the EncryptionKeyIdentifier configuration, add a new alternative to the EncryptionKey configuration, and define the new conditional rule. Delete/remove the old key and value (alternatives) once you have confirmed that they are no longer being used.

2. Add a new key identifier configuration to RelFast for the updated encryption key.

3. Add a new secret configuration to RelFast for the updated secret.

4. Add a new conditional rule to associate the new key identifier with the new secret value.

5. The rotation step is now complete. Make sure to delete the old alternatives from the configurations once you have confirmed that no background processes in your system are using the old key-value pair.

6. The "Is Secured" switch can be used to store the alternatives at rest in an encrypted vault for added security.

By following these instructions, you can create a configuration that represents a secret and use RelFast to easily rotate the secret when needed, ensuring that your application's sensitive data remains secure and up-to-date.