"Not a Pentest" Trust-Anker: Secrets management protects critical access credentials. No attack tools.
Moltbot AI Security · Secrets Vault
Moltbot Secrets & Vault Management
No more hardcoded secrets — centralized, rotating secrets management for Moltbot with HashiCorp Vault and dynamic credentials.
What is Secrets Management? Simply Explained
Secrets management is like a digital vault for your passwords and API keys. Instead of writing passwords in code (like on a sticky note on your monitor), you store them in a secure vault. When a program needs a password, it asks the vault — the vault gives a short-lived password that automatically expires after a time. If someone steals a password, it will soon be worthless.
↓ Jump to anti-patterns, vault integration, and rotation policy
🔐 Secrets Anti-Patterns (avoid!)
❌ NEVER LIKE THIS!
// ❌ Hardcoded secrets
const db = new Pool({
password: 'sup3r_s3cr3t_pw!'
});
// ❌ In Code committed
const API_KEY = 'sk_live_abc123';
// ❌ In .env committed
DATABASE_PASSWORD=mypassword123✅ CORRECT LIKE THIS!
// ✅ Aus Environment Variable
const db = new Pool({
password: process.env.DB_PASSWORD
});
// ✅ Vault-injected zur Runtime
// process.env.API_KEY = vault.read()
// ✅ .env.local (gitignored!)
# .gitignore: .env*.local🏛️ HashiCorp Vault Integration
// moltbot/lib/vault-client.ts
import vault from 'node-vault';
const vaultClient = vault({
apiVersion: 'v1',
endpoint: process.env.VAULT_ADDR,
token: process.env.VAULT_TOKEN,
});
// Dynamic Database Credentials (rotieren automatisch!)
export async function getDatabaseCredentials() {
const { data } = await vaultClient.read('database/creds/moltbot-role');
return {
username: data.username, // Temporärer User (TTL: 1h)
password: data.password, // Auto-rotiert
host: process.env.DB_HOST,
database: 'moltbot_prod',
};
}
// Application Secrets mit Lease
export async function getAppSecret(secretPath: string) {
const { data } = await vaultClient.read('secret/data/' + secretPath);
return data.data;
}
// Secret Rotation (täglich via Cron)
export async function rotateAppSecrets() {
await vaultClient.write('sys/rotate');
console.log('[Vault] Secrets rotiert:', new Date().toISOString());
}🔄 Secrets Rotation Policy
| Secret Type | Rotation Interval | Methode | Automation |
|---|---|---|---|
| DB Passwords | 24 Stunden | Vault Dynamic Creds | ✅ Vollautomatisch |
| API Keys | 90 Tage | Key Rotation API | ⚠️ Halb-automatisch |
| JWT Secret | 30 Tage | Vault KV Secret | ✅ Vollautomatisch |
| SSL Zertifikate | Jährlich | Let's Encrypt | ✅ Vollautomatisch |
| OAuth Client Secret | 180 Tage | Provider API | ⚠️ Manuell |
| Admin Tokens | 7 Tage | Vault TTL | ✅ Vollautomatisch |
🔗 Further Resources
CG
ClawGuru Security Team
✓ VerifiedSecurity Research & Engineering · Secrets Management Specialists
📅 Published: 28.04.2026🔄 Last reviewed: 28.04.2026
This guide is based on practical experience with secrets management in production environments. The described best practices have been proven in real deployments and continuously improved.
🔒 Verified by ClawGuru Security Team·All information fact-checked and peer-reviewed