Skip to main content

Secrets and Encryption Workshop

Retrieval Prompts

  1. State the five lifecycle steps of a secret (generate, store, distribute, rotate, revoke).
  2. Explain what a dynamic secret is and why a 30-minute database credential is different from rotating a static one.
  3. Draw the DEK/KEK envelope-encryption flow from memory.
  4. State what in-transit encryption protects and what it does not.
  5. State the four rungs of the data classification ladder and give one example field per rung.

Compare and Distinguish

Separate these pairs clearly:

  • vault-managed static secret vs dynamic secret
  • KEK rotation vs DEK rotation
  • TLS vs disk encryption vs application-level encryption
  • pseudonymization vs anonymization
  • minimization vs encryption as defenses

Common Mistake Check

For each statement, identify the error:

  1. "We store the key in environment variables, which is secure because they're not on disk."
  2. "We use KMS, so we're doing envelope encryption."
  3. "HTTPS is enabled, so the data is encrypted end to end."
  4. "We rotate the KEK, so the data is re-encrypted."
  5. "We log the full request body for debugging -- it's internal, so PII is fine."

Mini Application

Part 1 -- Secret rotation workflow (45 minutes)

Pick one secret from a system you know (DB password, API key, signing key). Design the full rotation workflow with:

  • trigger (scheduled? incident-driven? both?)
  • new-value generation (who does it, where)
  • distribution to consumers (how they pick up the new value)
  • verification (how you know the new value works)
  • revocation of the old value
  • rollback (what if the new value is broken)
  • audit (who did what, when)

Write it as a one-page runbook a peer could execute without you.

Part 2 -- Envelope encryption diagram (20 minutes)

Redraw the DEK/KEK flow from memory, then extend it with:

  • what happens on a read
  • what happens on KEK rotation
  • what happens if the KEK is revoked

Compare with the Google Cloud KMS envelope-encryption doc and note any gap.

Part 3 -- Data classification sheet (30 minutes)

Pick a feature you have shipped. Make a table:

FieldClass (Public/Internal/Confidential/Restricted)StorageAccess policyLog policyRetention

List at least 10 fields. Mark at least one field you could drop (minimization) and one field that is in the wrong class today.

Evidence Check

This page is complete when:

  • the rotation runbook can be executed by someone else
  • the envelope-encryption diagram is drawn from memory, including rotation and revocation paths
  • the classification table names at least one minimization opportunity and one misclassification
  • you can explain why the workflow does not rely on a single "golden" engineer