Password Rotation
SyVault Secrets Manager can automatically rotate credentials for supported infrastructure targets. Rotation replaces a secret's current value with a newly generated one, updates the target system, and stores the new credential in your vault -- all without human intervention.
Architecture
Rotation uses a gateway model to reach targets that are not publicly accessible:
SyVault Cloud <──TLS──> Rotation Gateway <──private network──> Database
The Rotation Gateway is a lightweight agent you deploy inside your network (as a Docker container, systemd service, or Kubernetes pod). It maintains an outbound WebSocket connection to SyVault, receives rotation commands, executes them against the target, and reports the result. No inbound firewall rules are required.
Supported Targets
| Target | Rotation Method |
|---|---|
| PostgreSQL | Creates a new role password via ALTER ROLE ... PASSWORD |
| MySQL | Changes the user password via ALTER USER ... IDENTIFIED BY |
Additional targets (MongoDB, Redis, LDAP) are on the roadmap.
Gateway Setup
1. Install the Gateway
# Docker
docker run -d \
--name sy-gateway \
-e SY_GATEWAY_TOKEN=gw_abc123 \
-e SY_SERVER=https://vault.example.com \
syvault/rotation-gateway:latest
# Or install the binary directly
curl -fsSL https://get.syvault.com/gateway | sh
sy-gateway start --token gw_abc123 --server https://vault.example.com
2. Register the Gateway
- In the web vault, go to Secrets Manager > Gateways.
- Click Add Gateway and copy the one-time token.
- Provide this token to the gateway process (via environment variable or CLI flag as shown above).
- The gateway appears as Connected once it establishes the WebSocket connection.
3. Configure Network Access
The gateway needs network connectivity to your database targets. Ensure the gateway host can reach each database on its configured port (5432 for PostgreSQL, 3306 for MySQL).
Creating a Rotation Policy
- Navigate to Secrets Manager > Rotation.
- Click New Rotation Policy.
- Configure the following:
| Field | Description |
|---|---|
| Secret | The SyVault secret containing the credential to rotate |
| Target type | PostgreSQL or MySQL |
| Gateway | The gateway to use for reaching the target |
| Connection | Host, port, and admin credentials for the target database |
| Schedule | How often to rotate (e.g., every 30 days, every 7 days) |
| Notification | Optional email or webhook to notify on rotation success or failure |
- Click Save. The first rotation runs immediately to validate connectivity.
Manual Rotation
You can trigger an immediate rotation outside the regular schedule:
# Via CLI
sy secret rotate "sy://Production/Database/field/password"
# Or in the web vault: open the secret > click "Rotate Now"
Monitoring Rotation Status
Each rotation policy shows its current status in the Secrets Manager dashboard:
- Healthy: Last rotation succeeded and the next rotation is scheduled.
- Pending: A rotation is currently in progress.
- Failed: The last rotation attempt failed. Check the error details and retry.
Rotation History
Every rotation event is logged with:
- Timestamp
- Old credential fingerprint (SHA-256 of the first 8 characters, for verification without exposing the value)
- New credential fingerprint
- Duration
- Success or failure with error message
View the history under Secrets Manager > Rotation > [Policy Name] > History.
How Rotation Maintains Zero-Knowledge
- The gateway decrypts the current credential using the client key established during bootstrap.
- The gateway generates a new random credential locally (32-character alphanumeric by default).
- The gateway connects to the target database and executes the password change.
- On success, the gateway encrypts the new credential with the vault key and pushes the ciphertext to SyVault.
- SyVault never sees the plaintext credential at any point.
Troubleshooting
Gateway shows "Disconnected": Verify the gateway process is running and can reach the SyVault server on port 443. Check firewall rules and proxy settings.
Rotation fails with "connection refused": The gateway cannot reach the database. Verify the host, port, and that the gateway's network allows outbound connections to the target.
Rotation fails with "authentication failed": The admin credentials configured in the rotation policy are incorrect or have been changed. Update the connection settings and retry.