Secret rotation
Last updated: Apr 1, 2026
Key rotation is essential when dealing with sensitive data. The best way to prevent key leakage is by changing keys regularly. Our rotation cycles are as follows:
- KMS keys: every year or earlier if necessary
- JWT tokens: daily
- Digital certificates: every 30 days
- IAM passphrases: every three months
We make rotations in the following two ways:
- Automatic rotation: Some secrets are stored in secret vaults. They are only accessible by administrators and are rotated daily. These secrets include JWT tokens, IAM passphrases and digital certificates.
- Manual rotation: Some secrets are stored versioned and encrypted in Git repositories using AES-256 symmetric keys. They are treated as code, which means that manual approval is required to rotate them. These secrets include KMS keys and other application credentials.
Requirements
- 089. Limit validity of certificates
- 130. Limit password lifespan
- 145. Protect system cryptographic keys
Other secure authorization measures
Endpoints
Fluid Attacks secures laptops and mobile phones with MDM, including hardening profiles, removable media restrictions, auditing, and inventory controls.
Sessions
Fluid Attacks manages user sessions with JWT, including token generation, encryption, expiration, revocation, and concurrent session handling.