secret rotation runbook - nself-org/cli GitHub Wiki
Extends the S64 secrets-rotation baseline with automated schedule management and event logging.
# Rotate a single secret immediately
nself secrets rotate HASURA_ADMIN_SECRET
# Rotate with dual-key overlap window (keep old key as _PREVIOUS)
nself secrets rotate JWT_SIGNING_KEY --dual-window
# Retire the old key after the overlap window (e.g. after 7 days)
nself secrets retire JWT_SIGNING_KEY# Set a 90-day rotation schedule for the JWT signing key
nself secrets schedule --secret JWT_SIGNING_KEY --every 90d
# Set a 180-day schedule for the Hasura admin secret
nself secrets schedule --secret HASURA_ADMIN_SECRET --every 180d
# View all schedules and their status
nself secrets list-schedulesAutomated rotation fires when the rotation plugin is installed and
NSELF_SECRET_ROTATION=true is set. The plugin registers a cron job (via
the cron plugin) that calls its /rotate/tick endpoint every minute.
nself secrets verify JWT_SIGNING_KEY
# Secret JWT_SIGNING_KEY: PRESENT in dev environment.# All events
nself secrets rotation-log
# Filter to one secret
nself secrets rotation-log --secret JWT_SIGNING_KEY| Status | Meaning |
|---|---|
ok |
Rotation is not due yet (>7 days away) |
warning |
Rotation due within 7 days |
overdue |
Rotation is past due |
missing |
No NextDue timestamp set , run nself secrets schedule
|
If the rotation plugin cannot verify service health after rotation, it:
- Rolls back the secret to its previous value.
- Writes a
rolled_backevent to the log. - Sends an alert to
NSELF_SECRET_ROTATION_NOTIFY_EMAIL.
- SOC 2 CC6.1, Logical access controls
- PCI-DSS 8.3.9, 90-day rotation for service accounts
- NIST SP 800-63B, Authentication credential management
- cmd-secrets, full secrets command reference
- security/Supply-Chain, supply-chain security baseline
- Home