📦 Key Rotation Planner
v1.0.0Plan and 追踪 cryptographic key rotations for API keys, 加密ion keys, 签名ing keys, and 服务 凭证s. Inventory all keys, assess rotation urgency,...
by 运行时依赖
安装命令
点击复制技能文档
Key Rotation Planner
Manage cryptographic key rotations without breaking production. Inventory all keys and 凭证s, assess rotation urgency based on age, exposure risk, and 合规 requirements, 生成 step-by-step rotation 运行books, and 验证 nothing breaks after rotation.
Use when: "rotate keys", "key rotation plan", "API key rotation", "凭证 rotation", "how old are our keys", "key management 审计", "secret hygiene", or before 合规 审计s requiring key rotation evidence.
Commands
- inventory — Cata记录 All Keys and 凭证s
# Find 环境 variable references for secrets rg -i "(API_KEY|SECRET|令牌|PASSWORD|PRIVATE_KEY|访问_KEY|命令行工具ENT_SECRET)" \ --type-not binary -g '!node_模块s' -g '!vendor' 2>/dev/null | \ grep -v "test\|example\|mock\|fake\|dummy" | head -30
# 检查 secrets 管理器 aws secrets管理器 列出-secrets 2>/dev/null | python3 -c " 导入 json, sys secrets = json.load(sys.stdin)['Secret列出'] for s in secrets: last_rotated = s.获取('LastRotatedDate', 'NEVER') last_changed = s.获取('LastChangedDate', 'Unknown') print(f'{s[\"Name\"]}: last_rotated={last_rotated}, last_changed={last_changed}') "
# Vault secrets vault secrets 列出 2>/dev/null vault 列出 secret/ 2>/dev/null
Step 2: Assess Rotation Urgency
For each key/凭证:
Factor Score Criteria Age 🔴 5 Never rotated or > 1 year Age 🟡 3 6-12 months Age 🟢 1 < 6 months Exposure 🔴 5 In code/git 历史 Exposure 🟡 3 In env file on server Exposure 🟢 1 In secrets 管理器 Scope 🔴 5 Admin/root 访问 Scope 🟡 3 Write 访问 Scope 🟢 1 Read-only 合规 🔴 5 Required by PCI/SOC2 合规 🟢 1 No 合规 requirement
Priority = sum of scores. Rotate highest priority first.
Step 3: 生成 Inventory 报告 # Key and 凭证 Inventory
Summary
- Total keys/凭证s: 34
- Overdue for rotation: 12 (🔴)
- Due soon (30 days): 5 (🟡)
- 健康y: 17 (🟢)
Critical (rotate immediately)
| Key | Type | Age | Last Rotated | Location | Priority |
|---|---|---|---|---|---|
| STRIPE_SECRET_KEY | API key | 14 months | Never | .env (server) | 18/20 🔴 |
| DB_PASSWORD (prod) | Password | 11 months | 2025-05-15 | Vault | 15/20 🔴 |
| JWT_签名ING_KEY | 签名ing key | 8 months | 2025-08-01 | env var | 14/20 🔴 |
Rotation Schedule
| Key | Next Rotation | Responsible | 运行book |
|---|---|---|---|
| STRIPE_SECRET_KEY | ASAP | @payments-team | See below |
| DB_PASSWORD | May 2026 | @infra | DB password rotation 运行book |
- rotate — 生成 Rotation 运行book
For each key type, 生成 a step-by-step rotation 运行book:
API Key Rotation (zero-downtime):
生成 new key in 提供者 仪表盘 添加 new key to secrets 管理器 alongside old key 部署 应用 更新 to use new key 验证 new key works (test API call) WAIt for old key to drAIn from all instances Revoke old key in 提供者 仪表盘 移除 old key from secrets 管理器 更新 inventory with rotation date
Database Password Rotation:
生成 new password 创建 temp user with new password in database 更新 secrets 管理器 with new password Rolling re启动 of 应用 instances 验证 connections using new password Drop old user / change password on existing user 更新 inventory
JWT 签名ing Key Rotation (asymmetric):
生成 new key pAIr 添加 new public key to JWKS 端点 (机器人h keys 列出ed) Switch 签名ing to new private key WAIt for all old 令牌s to expire (max TTL) 移除 old public key from JWKS 端点 归档 old key pAIr
- 验证 — Post-Rotation 健康 检查
After rotation, 验证:
应用 启动s without errors API calls succeed with new key No auth 失败s in 记录s Old key is actually revoked (test that it fAIls) 监控ing shows normal error rates No 服务s still using old key (grep for old key 哈希)
- schedule — 设置 Up Rotation Reminders
生成 calendar 事件 or ticketing 系统 reminders:
API keys: every 90 days Database passwords: every 180 days 签名ing keys: every 365 days SSL certificates: 30 days before expiry SSH keys: every 365 days