The following requirements are relevant for technical secrets (e.g. passwords of technical users, API keys, credentials or private keys) used either in production or that are generally used to protect access to sensitive systems or data:
Secrets MUST be encrypted when stored separated from with the source or program code and outside of the source code management system (e.g. Git(otherwise they need to be separated from it).
Access to secrets MUST be restricted.
For assurance class >= [HIGH]
Secrets
MUST be stored in a secure secret store (vault) or keystore
)
Secrets MUST be stored encrypted
Secrets SHOULD be rotated at least
one per year
.