Creating an SSH Secret

Before You Begin

Before you can create SSH secrets, you must have the following:

A remote server with a user that is not the Vault user with permissions to log on to the remote server using their private SSH key.
The user name and IP address of the remote server.
An available public and private SSH key pair.
- The public key of the SSH key pair must be copied to both the server in the user's .ssh/authorized_keys file and the box where the SSH secret will be created.
  
  You can copy the public key using the command ssh-copy-id. This allows the user to log on to the server without a password.
- A copy of the private key is required to configure the SSH secret in the Cryptographic Security Platform Vault for Secrets.

Procedure

From the Cryptographic Security Platform Vault for Secrets webGUI, select Manage > Manage Boxes.
On the Manage Boxes page, select the box where you want to create a secret.
On the Box page, in the Secrets region, click Add.
In the Choose a type of secret to create dialog box, select SSH Key.

On the About page of the Create Secret: SSH Key wizard, complete the following:

Option	Description
Name	Enter the name to use for the SSH secret.
Description	Enter the optional description for the SSH secret.
Expires	Select one of the following: Use Box Setting—Accepts the global box value. This is the default. No Expiration—The secret does not expire. Specific Date and Time—Allows you to set the specific date and time for the secret to expire.

Click Continue.

On the Secret page of the Create Secret: SSH Key wizard, complete the following:

Option	Description
Host	Enter the host name or IP address for the remote server.
User Name	Enter a user name. This name must match the user name used to log on to the remote server.
Port	Enter the port for the remote server.
Upload Private Key	Click Browse to upload the private key.
Passphrase	If the private key is encrypted, enter the password to decrypt the private key.

Click Continue.

On the Checkout Details page of the Create Secret: SSH Key wizard, complete the following:

Option	Description
Checkout Duration	How long the secret is checked out. Use Box Setting—Use the duration set when creating the box. This is the default. Duration—Enter a duration in days, minutes, or hours. This value will overwrite the box settings.
Exclusive Checkout	If enabled, then the secret checkout will be exclusive and only one user can check out the secret at a time. Users must wait for the checkout duration to expire or must manually delete the lease to make the secret available for new checkouts. Use Box Setting—Use the value that was set when creating the box. This is the default. Yes—If set to Yes, the secrets checkout will be exclusive. No—If set to No, multiple users can checkout the secret at the same time.

Option

Description

Checkout Duration

How long the secret is checked out.

Use Box Setting—Use the duration set when creating the box. This is the default.

Duration—Enter a duration in days, minutes, or hours. This value will overwrite the box settings.

Exclusive Checkout

If enabled, then the secret checkout will be exclusive and only one user can check out the secret at a time. Users must wait for the checkout duration to expire or must manually delete the lease to make the secret available for new checkouts.

Use Box Setting—Use the value that was set when creating the box. This is the default.
Yes—If set to Yes, the secrets checkout will be exclusive.
No—If set to No, multiple users can checkout the secret at the same time.

Click Continue.

On the Rotation Details page of the Create Secret: SSH Key wizard, complete the following:

Option	Description
Rotation Duration	Sets the duration for this secret to be rotated. Use Box Setting—Use the duration set when creating the box. This is the default. Duration—Enter a duration in days, minutes, or hours. This value will overwrite the box settings.
Rotate on Check In	If enabled, the secret will automatically rotate when checked in. This requires that the checkout duration is set. Use Box Setting—Use the value that was set when creating the box. This is the default. Yes—If set to Yes, the secret will be rotated when it is checked in. No—If set to No, the secret will not be rotated when it is checked in.
Force Rotation	If selected, this forces the rotation of all secrets in the box. If Rotation Duration and Force Rotation are both checked, the secret will be rotated even if there are outstanding leases. If Rotate on Check In and Force Rotation are both checked, the secret will rotate when the checkout expires. Use Box Setting—Use the value that was set when creating the box. This is the default. Yes—If set to Yes, this forces the secret to rotate. No—If set to No, the secret will not rotate.

Click Create.

What to Do Next

If you are using local authentication, add the user. See Creating Cryptographic Security Platform Vault for Secrets Local Users. The user name must match the name used to log on to the remote server.
Ensure that the user is added to the access policy so that they can access both the Cryptographic Security Platform Vault for Secrets and the box where the secret is stored. See Cryptographic Security Platform Vault for Secrets Access Policies.