The following requirements are relevant for technical secrets (e.g. passwords of technical users, API keys, credentials or private keys) used either in production or that are generally used to protect access to sensitive systems or data:
Secrets MUST be stored separated from the source or program code and outside of the source code management system (e.g. Git).
Access to secrets MUST be restricted.
Secrets SHOULD be stored in a secure secret store (vault) or keystore implementation. For assurance class >= HIGH these systems MUST be used.
Secrets used for encrypting sensitive data SHOULD be rotated at least once per year.
Secrets of applications with assurance class >= [HIGH] MUST be stored encrypted.