Secrets Vault Overview

The Entrust secrets vault provides centralized secure storage for managing and controlling access to secrets that are required to access systems and resources. Access to secrets are restricted to authorized applications and users. You can securely store, manage, and access-control secrets such as credentials, API keys, SSH keys, tokens, certificate private keys, and encryption keys. Secrets are managed, controlled and accessed through REST API interfaces or a CLI.

The secrets vault is composed of vaults, boxes, secrets, policies, and its own administrators and users. Each vault can hold multiple boxes.

About Boxes

Each box contains information (metadata) required to manage the secrets within the box, and a collection of secrets. The metadata can include: 

  • Name—The name of the box.
  • Description—The description of the box.
  • Tags—A list of name and value pairs.
  • Max Secret Version—The maximum number of secret versions to keep. Changing a secret value creates a new version, and the previous secrets are kept according to the maximum number of versions that you configure.
  • Checkout Duration—The default leasing period for secrets. Secrets are leased when a user or an application wants to use the secret to access the resource. The secret must be checked-in before the lease expires.
  • Secret Rotation Duration—How often the secrets must be rotated. Applies only to managed secrets.
  • Secret Duration—The default expiration period for the secrets.

About Secrets

Secrets contain secret data or a secret value, and also metadata information that describes and manages the secret. The metadata can include: 

  • Name—The name of the secret. The name can include a virtual folder, for example QueryAccess/CustomDB.
  • Description—The description of the secret.

  • Type—The following types of secrets are supported: 

    • Managed—Managed secrets are automatically rotated by the Secrets Vault. Only ESXi host accounts are supported.
    • Static—Static secrets do not have automatic secret rotation.
  • Tags—A list of name and value pairs.
  • Versioning
    • Multiple versions of a secret are kept to support secret rotation and prevent accidental data loss.
    • The maximum number of versions to keep is configured at the Box level. Changing a secret value creates a new version, and the previous secrets are kept according to the maximum number of versions that you configure.
    • The version number is automatically incremented whenever a secret value is changed.
    • The current version points to the most recent version of the secret value that was created. Authorized users can change the current version to any of the previous available versions of the secret data.

  • Checkout Duration—The leasing period for secrets. Secrets are leased when a user or an application wants to use the secret to access the resource. The secret must be checked-in before the lease expires.

  • Rotation Duration—How often the secrets must be rotated or changed. Applies only to managed secrets.
  • Expiration—The date and time that the secret expires. Secrets cannot be checked out after the expiration.
  • Secret Data—The contents of the secret. This can be a text string, key-value pairs (JSON object), or base64-encoded binary data.