Creating a Secret
We recommend that you set secret parameters at the box level to ensure that they automatically apply to all of the secrets that you add to that box.
-
From the KeyControl PASM Vault webGUI, select Manage > Manage Boxes.
-
On the Manage Boxes page, select the box where you want to create a secret.
-
On the Box page, in the Secrets region, click Add.
-
On the Choose a type of secret to create dialog, select the secret type:
Option Description ESXi Host
Specify the secret for an ESXi host. This is a managed secret and you set a rotation policy, instructing the KeyControl PASM Vault to rotate the secret periodically based on duration or on check in. File
Upload a file containing a secret such as a key or certificate. This is a static secret so not rotated by the KeyControl PASM Vault.
Key-Value Pair
Create a secret containing one or more key-value pairs. This is a static secret so not rotated by the KeyControl PASM Vault.
Password
Generate and store a password. You can specify your own password or use the provided password generator. This is a static secret so not rotated by the KeyControl PASM Vault.
Note: You can use the KeyControl PASM Vault password generator to generate a random password. The minimum length is 9 characters, and the maximum length is 64. Each password will contain at least 2 lowercase letters, 2 uppercase letters, 2 numbers, and 2 special characters.
Text
Plain text based secret. This is a static secret so not rotated by the KeyControl PASM Vault.
SSH Key
Upload and manage a SSH key. For more information, see SSH Secrets . This is a managed secret and you set a rotation policy, instructing the KeyControl PASM Vault to rotate the secret periodically based on duration or on check in.
The Create secret dialog appears.
The next steps depend on the secret type.
ESXi Host
-
On the Create secret dialog About page, complete the following:
Option Description Name
Enter the name of secret
Description
Enter a description for the secret
Expires
This is optional and will default to No expiration:
-
Use Box Setting—Accepts the global box value.
-
No Expiration—The secret does not expire.
-
Specific Date and Time—Allows you to set the specific date and time for the secret to expire.
-
-
Click Continue.
-
On the Secret page, complete the following:
Option Description Host
Enter the ESXi host address. User Name
Enter the ESXI host user name.
Password Enter the password for the ESXi host.
TLS Version Select the TLS version used by the ESXi host. This can be one of the following:
-
TLS 1.2 (default)
-
TLS 1.1
-
TLS 1.0
CA Certificate
Click Add Certificate to specify the CA certificate to use while connecting to an ESXi host. After you add the CA certificate, there is a link to modify it.
-
-
Select Continue
-
On the Checkout Details page, complete the following:
Option Description Checkout Duration
How long the secret is checked out. By default, the Use Box Setting option is selected.
- Use Box Setting—Use the duration set when creating the box.
-
Duration—Enter a duration in days, minutes, or hours. This value will overwrite the box settings.
Exclusive Checkout
If enabled, then the secret checkout will be exclusive and only one user can check out the secret at a time. However, if the checkout duration has expired, then a new checkout will be allowed. By default the Use Box Setting option is selected.
-
Use Box Setting—Use the value that was set when creating the box.
-
Yes—If set to Yes, the secrets checkout will be exclusive.
-
No—If set to No, multiple users can checkout the secret at the same time.
-
Click Continue.
-
On the Rotation Details page, complete the following:
Option Description Rotation Duration
Sets the duration for this secret to be rotated. By default the Use Box Setting option is selected.
-
Use Box Setting—Use the duration set when creating the box.
-
Duration—Enter a duration in days, minutes, or hours. This value will overwrite the box settings.
Rotate on Check In If enabled, the secret will automatically rotate when checked in. This requires that the checkout duration is set. By default the Use Box Setting option is selected.
-
Use Box Setting—Use the value that was set when creating the box.
-
Yes—If set to Yes, the secret will be rotated when it is checked in.
-
No—If set to No, the secret will not be rotated when it is checked in.
Force Rotation If selected, this forces the rotation of all secrets in the box.
-
If Rotation Duration and Force Rotation are both checked, the secret will be rotated even if there are outstanding leases.
-
If Rotate on Check In and Force Rotation are both checked, the secret will rotate when the checkout expires.
By default, the Use Box Setting option is selected.
-
Use Box Setting—Use the value that was set when creating the box.
-
Yes—If set to Yes, this forces the secret to rotate.
-
No—If set to No, the secret will not rotate.
-
-
Click Create.
SSH Key
-
On the Create secret dialog About page, complete the following:
Option Description Host
Enter the FQDN or IP address of the endpoint to be accessed using the SSH key.
User Name
Enter the user name associated with the SSH key.
Port Enter the server port configured for SSH access. Typically, this is port 22.
Private Key Select Upload Private Key to locate and upload the private key file for the secret.
Passphrase
Enter the passphrase for the key, if the key is configured with a passphrase.
Secret Expiration (under Advanced Settings)
This is optional and will default to No expiration:
-
Use Box Setting—Accepts the global box value.
-
No Expiration—The secret does not expire.
-
Specific Date and Time—Allows you to set the specific date and time for the secret to expire.
-
-
Click Continue.
-
On the Checkout Details page, complete the following:
Option Description Checkout Duration
How long the secret is checked out. By default, the Use Box Setting option is selected.
- Use Box Setting—Use the duration set when creating the box.
-
Duration—Enter a duration in days, minutes, or hours. This value will overwrite the box settings.
Exclusive Checkout
If enabled, then the secret checkout will be exclusive and only one user can check out the secret at a time. However, if the checkout duration has expired, then a new checkout will be allowed. By default the Use Box Setting option is selected.
-
Use Box Setting—Use the value that was set when creating the box.
-
Yes—If set to Yes, the secrets checkout will be exclusive.
-
No—If set to No, multiple users can checkout the secret at the same time.
-
On the Rotation Details page, complete the following:
Option Description Rotation Duration
Sets the duration for this secret to be rotated. By default the Use Box Setting option is selected.
-
Use Box Setting—Use the duration set when creating the box.
-
Duration—Enter a duration in days, minutes, or hours. This value will overwrite the box settings.
Rotate on Check In If enabled, the secret will automatically rotate when checked in. This requires that the checkout duration is set. By default the Use Box Setting option is selected.
-
Use Box Setting—Use the value that was set when creating the box.
-
Yes—If set to Yes, the secret will be rotated when it is checked in.
-
No—If set to No, the secret will not be rotated when it is checked in.
Force Rotation If selected, this forces the rotation of all secrets in the box.
-
If Rotation Duration and Force Rotation are both checked, the secret will be rotated even if there are outstanding leases.
-
If Rotate on Check In and Force Rotation are both checked, the secret will rotate when the checkout expires.
By default, the Use Box Setting option is selected.
-
Use Box Setting—Use the value that was set when creating the box.
-
Yes—If set to Yes, this forces the secret to rotate.
-
No—If set to No, the secret will not rotate.
-
-
Click Create.
Static Keys
For key types: File, Key-Value Pair, Password and Text.
-
On the Create secret dialog, complete the following:
If you selected File:
Option Description Name
Enter the name of secret
Description
Enter a description for the secret
Upload File
Select Browse to locate and upload the file.
Secret Expiration (under Advanced Settings)
This is optional and will default to No expiration:
-
Use Box Setting—Accepts the global box value.
-
No Expiration—The secret does not expire.
-
Specific Date and Time—Allows you to set the specific date and time for the secret to expire.
If you selected Key-Value Pair:
Option Description Name
Enter the name of secret
Description
Enter a description for the secret
Key
Enter the key name
Value
Enter the key value
Secret Expiration (under Advanced Settings)
This is optional and will default to No expiration:
-
Use Box Setting—Accepts the global box value.
-
No Expiration—The secret does not expire.
-
Specific Date and Time—Allows you to set the specific date and time for the secret to expire.
The dialog lets you enter multiple key-value pairs, as needed. For example, you could add a key-pair for a user name and another key-pair for the user's password.
If you selected Password:
Option Description Name
Enter the name of the secret
Description
Enter a description for the secret
Password
Enter the password or generate a password using the icon
.Secret Expiration (under Advanced Settings)
This is optional and will default to No expiration:
-
Use Box Setting—Accepts the global box value.
-
No Expiration—The secret does not expire.
-
Specific Date and Time—Allows you to set the specific date and time for the secret to expire.
If you selected Text:
Option Description Name
Enter the name of the secret
Description
Enter a description for the secret
Secret Data
Enter the secret data in plain text
Secret Expiration (under Advanced Settings)
This is optional and will default to No expiration:
-
Use Box Setting—Accepts the global box value.
-
No Expiration—The secret does not expire.
-
Specific Date and Time—Allows you to set the specific date and time for the secret to expire.
-
-
Click Create.
-
