Managing User Secrets
You can use PrivX to securely store and delegate access to secret data. PrivX secrets are under the Secrets page. On this page you can add, and edit secrets. You can also search secrets by their name.
Adding Secrets
To add a secret:
In the PrivX GUI, go to the Secrets page and click Add Secret.
Define the following for the secret:
- A unique Name.
- Who can access the secret. This is defined with a combination of:
- Scope: When set to Global, only those with read/write access may read/write the secret. When set to Personal, the user who created the secret may read and modify the secret.
- Read access and Write access: Roles who may read or modify the secret.
- The Secret type. This controls what content can be entered in Secret data.
- Secret data.
Click Save to save the secret.
By default, the only Secret type is JSON. For more information about defining additional Secret types, see Custom Secret Types.
Personal secrets can be viewed and managed by PrivX administrators. Therefore, credentials that should only be visible to you (such as private social-media accounts) should not be stored as Personal secrets.
For using secrets vault for scripted access, see API-Client Integration.
Finding Secrets
All the secrets are available via the PrivX GUI, from the Secrets page. There you can use Search to find secrets that are relevant to you.
In secrets search, you can use the Filter keyword to find secrets that you have access to. Similar to the following:
(Filter=Readable)
The available values for Filter are:
- Readable: Secrets you can read.
- Writable: Secrets you can modify.
- Accessible: Secrets where you have both read and write permissions.
- Personal: Personal secrets created by you.
Custom Secret Types
You can define your own Secret types. This offers the following benefits:
- When creating secrets, the PrivX GUI offers a form for filling in values, which may be more intuitive than typing raw JSON.
- Support masking sensitive data; users can copy custom-secret values without exposing the actual values.
- Control the structure of secret data.
Custom secret types provide a form for providing secret data.
Custom secret types allow you to Copy individual values.
To define secret types:
- Access the PrivX GUI with
settings-view
andsettings-manage
permissions. Go to the Administration→Settings→Secrets Vault page and Edit the Secret schemas JSON setting.
The Secret schemas JSON is an array where you can define multiple secret types,
[
{
"name": "secret_type_1",
"title": "Credentials1",
"properties": []
},
{
"name": "secret_type_2",
"title": "Credentials2",
"properties": []
},
...
]
Each secret type must specify the following attributes:
name
: ID string of the secret type. Must be unique within the system.title
: Human-readable title for the secret type. This will be displayed in the GUI.properties
: Array of property objects. Each property represents a secret field (such as a user name, password, and so on). Each property supports the following attributes:name
: ID string of the field.title
: Human-readable title for the field. This will be displayed in the GUI.masked
: If true, the field input is masked. We recommend enabling this for password fields. Optional, defaults to false.wide
: If true, the input field will take up the entire width of the form. Optional, defaults to false.multiline
: If true, the input field will span multiple lines. Optional, defaults to false.monospace
: If true, the input field will use a monospace font. Optional, defaults to false.
For example, to create the custom secret type shown in previous images:
[
{
"name": "credentials",
"title": "Credentials",
"properties": [
{
"name": "user",
"title": "Username"
},
{
"name": "pass",
"title": "Password",
"masked": true
},
{
"name": "comment",
"title": "Comment",
"wide": true,
"multiline": true
}
]
}
]
Role Permissions for Secrets
The role permissions for managing secrets are:
vault-add: Allows the user to add secrets.
vault-manage: Allows the user to add and delete secrets, modify secrets' metadata, modify secrets' contents, list secrets, and view secrets' metadata.
All PrivX users can create Personal secrets. To create secrets with Read/Write-access roles, the user will also need the vault-add permission.
Disable User Secrets Feature
If you don't require user Secrets feature in your PrivX setup, follow the steps below to disable it.
Gain root-terminal access to the PrivX server.
Edit the shared configuration at
/opt/privx/etc/shared-config.toml
.In this file, configure
ui_disabled_features
value like below.
ui_disabled_features = [
"secrets"
]
Save the changes to the file.
- Start the PrivX services to apply the changes.
After applying the changes, the "Secrets" tab will not be visible in the PrivX menu and the connection UI of the web client.