Creating a Box

Create a box in your KeyControl Vault for Secrets to store all of your secrets. Many of the options can be set in both the box and the secret, and the secret always takes precedence. We recommend that you set these options in the box so they will automatically apply to all of the secrets that you add.

Beginning with version 10.4.1, you can now enable Secondary Approval when you create a box. All secrets in that box will automatically require Secondary Approval before they can be checked out.

From the KeyControl Vault for Secrets webGUI, select Manage > Manage Boxes.
On the Manage Boxes page, click the Create button.

Note: If there are no existing boxes, you can also click the Add a Box Now link on the Manage Boxes page.

In the About tab of the Create a Box window, complete the following:

Option	Description
Name	The name of the box.
Description	The optional description of the box.
Secret Versions	The maximum number of a secret's versions to keep before they are deleted. The default is 10, and the maximum is 100.
Secret Expiration	If checked, then you can set the number of days, hours, or minutes before the secret expires. Otherwise there is no expiration date for the secrets.

Click Continue.

In the Checkout Details tab of the Create a Box window, complete the following:

Option	Description
Secret Checkout Duration	If checked, then you can set a default duration for a secret lease. When set at the box level, it applies to all secrets that are checked out from a box. Otherwise, there is no expiration for checked out secrets and a lease is not created. Important: If this option is set in a secret, it will override any options that are set in the box.
Exclusive Checkout	If checked, then all secret checkouts will be exclusive and only one user can check out the secret at a time. However, if the checkout lease has expired, then a new checkout will be allowed. Important: If this option is set in a secret, it will override any options that are set in the box.

Option

Description

Secret Checkout Duration

If checked, then you can set a default duration for a secret lease. When set at the box level, it applies to all secrets that are checked out from a box. Otherwise, there is no expiration for checked out secrets and a lease is not created.

Important: If this option is set in a secret, it will override any options that are set in the box.

Exclusive Checkout

If checked, then all secret checkouts will be exclusive and only one user can check out the secret at a time. However, if the checkout lease has expired, then a new checkout will be allowed.

Important: If this option is set in a secret, it will override any options that are set in the box.

Click Continue.

In the Rotation Details tab of the Create a Box window, complete the following:

Option	Description
Secret Rotation Duration	If checked, then you can set the default duration for when secrets in the box will be rotated. Important: If this option is set in a secret, it will override any options that are set in the box.
Rotate Secret on Check In	If checked, the secret will be automatically rotated when it is checked in. This option requires that the Secret Checkout Duration is configured.
Force Secret Rotation	If checked, this option forces the rotation of all secrets in the box. If Secret Rotation Duration and Force Secret Rotate on Check In are both checked, the secret will be rotated even if there are outstanding leases. If Rotate Secret on Check In and Force Secret Rotation are both checked, the secret will rotate when the checkout expires. Important: If this option is set in a secret, it will override any options that are set in the box.

Click Continue.

In the Secondary Approval tab of the Create a Box window, complete the following:

Option	Description
Enable Secondary Approval	If checked, all secrets in the box require Secondary Approval before they can be checked out. Important: You must have at least one user with the Vault Checkout Secondary Approver Policy access policy before you can enable Secondary Approval.
Approvers	Enter the email addresses for one or more people to be secondary approvers. These users must have the Vault Checkout Secondary Approver Policy access policy.
Minimum Approvals	The minimum number of approvals needed before the checkout can be performed. This value must be equal or greater to the number of approvers that you entered.
Approval Expiration	The amount of time after a checkout is requested that the approvers must approve the request. For example, if the request is made at 12:00 pm, and this value is set to 20 minutes, then at 12:21 the request will no longer be valid.
Time to Use	The amount of time that a requester can check out secrets once the minimum number of approvals has been met. For example, if this is set to 20 minutes, and the minimum approvals is met at 12:20 PM, then the requester has until 12:40 to check out the secret.
Whitelist Users	Whitelist users do not require secondary approval, and can check out secrets without raising secondary approval requests.

Click Create.