Creating an SSH Secret

Before You Begin

Before you can create SSH secrets, you must have the following:

A remote server with a user that is not the Vault user with permissions to log on to the remote server using their private SSH key.
The user name and IP address of the remote server.
An available public and private SSH key pair.
- The public key of the SSH key pair must be copied to both the server in the user's .ssh/authorized_keys file and the box where the SSH secret will be created.
  
  You can copy the public key using the command ssh-copy-id. This allows the user to log on to the server without a password.
- A copy of the private key is required to configure the SSH secret in the KeyControl Vault for Secrets.

Procedure

From the KeyControl Vault for Secrets webGUI, select Manage > Manage Boxes.
On the Manage Boxes page, select the box where you want to create the SSH secret. If you do not have a box, please complete one now. See Creating a Box for more information.
On the Box page, in the Secrets section, click the Create button.
Choose SSH Key for the type of secret.

On the About page of the Create Secret: SSH Key wizard, complete the following:

Option	Description
Name	Enter the name to use for the SSH secret.
Description	Enter the optional description for the SSH secret.
Expires	Select whether to use the existing Box setting, no expiration date, or create a new expiration date.

Click Continue.

On the Secret page of the Create Secret: SSH Key wizard, complete the following:

Option	Description
Host	Enter the host name or IP address for the remote server.
User Name	Enter a user name. This name must match the user name used to log on to the remote server.
Port	Enter the port for the remote server.
Upload Private Key	Click Browse to upload the private key.
Passphrase	If the private key is encrypted, enter the password to decrypt the private key.

Click Continue.

On the Checkout Details page, complete the following:

Option	Description
Checkout Duration	How long the secret is checked out. By default, the Use Box Setting option is selected. Use Box Setting—Use the duration set when creating the box. Duration—Enter a duration in days, minutes, or hours. This value will overwrite the box settings.
Exclusive Checkout	If enabled, then the secret checkout will be exclusive and only one user can check out the secret at a time. However, if the checkout duration has expired, then a new checkout will be allowed. By default the Use Box Setting option is selected. Use Box Setting—Use the value that was set when creating the box. Yes—If set to Yes, the secrets checkout will be exclusive. No—If set to No, multiple users can checkout the secret at the same time.

Option

Description

Checkout Duration

How long the secret is checked out. By default, the Use Box Setting option is selected.

Use Box Setting—Use the duration set when creating the box.

Duration—Enter a duration in days, minutes, or hours. This value will overwrite the box settings.

Exclusive Checkout

If enabled, then the secret checkout will be exclusive and only one user can check out the secret at a time. However, if the checkout duration has expired, then a new checkout will be allowed. By default the Use Box Setting option is selected.

Use Box Setting—Use the value that was set when creating the box.
Yes—If set to Yes, the secrets checkout will be exclusive.
No—If set to No, multiple users can checkout the secret at the same time.

Click Continue.

On the Rotation Details page, complete the following:

Option	Description
Rotation Duration	Sets the duration for this secret to be rotated. By default the Use Box Setting option is selected. Use Box Setting—Use the duration set when creating the box. Duration—Enter a duration in days, minutes, or hours. This value will overwrite the box settings.
Rotate on Check In	If enabled, the secret will automatically rotate when checked in. This requires that the checkout duration is set. By default the Use Box Setting option is selected. Use Box Setting—Use the value that was set when creating the box. Yes—If set to Yes, the secret will be rotated when it is checked in. No—If set to No, the secret will not be rotated when it is checked in.
Force Rotation	If selected, this forces the rotation of all secrets in the box. If Rotation Duration and Force Rotation are both checked, the secret will be rotated even if there are outstanding leases. If Rotate on Check In and Force Rotation are both checked, the secret will rotate when the checkout expires. By default, the Use Box Setting option is selected. Use Box Setting—Use the value that was set when creating the box. Yes—If set to Yes, this forces the secret to rotate. No—If set to No, the secret will not rotate.

Click Create.

What to Do Next

If you are using local authentication, add the user. See Creating KeyControl Vault for Secrets Local Users. The user name must match the name used to log on to the remote server.
Ensure that the user is added to the access policy so that they can access both the KeyControl Vault for Secrets and the box where the secret is stored. See KeyControl Vault for Secrets Access Policies.