Advanced secrets management
01The secrets threat model & secret-zeroSprawl, standing privilege, blast radius, and the bootstrap-trust problem.35 min02Vault internals: storage, seal, and replicationRaft, the seal/unseal barrier, auto-unseal, and HA/DR/performance replication.40 min03Secure introduction: solving secret-zeroAppRole, response wrapping, and platform-native workload identity.35 min
01Dynamic secrets at scaleDatabase and cloud engines, leases, max_ttl, and revocation trees.35 min02Transit: encryption & tokenization as a serviceData keys, convergent encryption, key rotation, and rewrap.35 min03Private PKI & short-lived certificatesRoot/intermediate CAs, 24-hour leaf certs, cert-manager, CRL/OCSP.40 min
01Identities, entities & templated policiesThe entity/alias model, groups, and ACL templating that scales.35 min02Governance: Sentinel, control groups & namespacesPolicy-as-code guardrails, four-eyes approval, and hard multi-tenancy.35 min03Workload identity & SPIFFE/SPIREKill static tokens — attest workloads and federate cloud IAM.35 min
01Vault on Kubernetes, deeplyThe agent injector, the Secrets Store CSI driver, and External Secrets.40 min02Cloud secret managers & envelope encryptionAWS/GCP/Azure managers, rotation lambdas, and CMK/BYOK.35 min03KMS, HSM & key hierarchiesEnvelope encryption, seal-wrap, PKCS#11, FIPS, and key ceremonies.35 min
01Zero-downtime rotation & the dual-secret patternRotate roots, leases, and app credentials without an outage.35 min02Detecting & responding to leaked secretsOrg-wide scanning, honeytokens, and a revoke-first runbook.35 min03Audit, tamper-evidence, break-glass & DRAudit devices, HMAC log integrity, recovery keys, and the DR drill.35 min
Final exam
Test yourself on everything
60 questions drawn from all 5 sections — every answer explained as you pick.