Importing Secrets

Secret Server's importation feature simplifies integration with legacy systems and allows users to easily add large numbers of secrets from an Excel or comma-separated values (CSV) file. Secrets are batch imported by template, so multiple types of input data need to be imported in several batches. The Secret Server Migration Tool topic discusses the addition of existing passwords from other third-party password-storing applications.

Importing CSV Data

1. Go to Admin > Export / Import. The Export / Import page appears on the Secrets tab.

2. Click the Import button. The Import secrets page appears.

3. Select CSV as Import type.

4. Select the related Secret template.

5. Check to Allow duplicate secrets if you wish to import a secret with the same name as an existing one.

6. Check Import with Folder if you included an additional field in the importation text with a fully qualified folder name for the secret to be created in.

7. Check Change remote passwords if you wish to execute a password change for each secret on import. This enables the standard functionality of a password change, and the secret also completes the automatic password change on checking in. This is to allow maintenance and testing of secrets protected in this manner, and a pending password change must be completed before the check-in process is allowed to begin in order to maintain a secure order of operations.

8. Check to enable Import With TOTP Settings if needed. If this secret has TOTP settings they will be imported, otherwise ignored.

9. Paste the secrets for importation from MS Excel or a CSV file directly into the CSV text text box . The order of the imported fields is based on the template selected. Consider the following:

   • Do not include a header line. The field names are determined by the order, not a header line.

   • The fields must be in this order: Secret Name, AccessKey, SecretKey, Username, SecretId, and Trigger.

   • Secret names must be included, but other text-entry fields can be blank unless the secret template indicates that the text-entry field is required.

   • Fields containing commas or tabs must be surrounded with double quotation marks.

   • It is permissible to include quotes. If the field is surrounded with double quotes, the double quotes you wish to include must be escaped with a \ (for example, "pa\"\"word" comes out as pa""word)

   • Values for File fields may be omitted as they are ignored by the import process.

10. Click Preview CSV Import - the CSVimport preview will appear below.

11. If you are happy with what you see, click Process CSV Import.

Importing Secrets with XML

Advanced XML importation adds folders, secret templates, and secrets based on an XML file. Permissions can be specified on the folders and secrets or the default is to inherit permissions. This import can only be done by administrators with proper role permissions.

Procedure

1. Ensure your XML is formatted correctly. If coming from a Secret Server export, you should be good to go. See Example XML File.

   Do not edit the XML file with Windows Notepad. Instead, use Notepad++, Visual Studio Code, or Atom to make your edits. Windows Notepad can add invisible characters that can prevent importation.

2. Go to Admin > > Export / Import.

3. Click the Import button. The Import secrets page appears.

4. Select XML as Import type.

5. Check Inherit folder permissions to import a secret with the same folder permissions.

6. Check Change remote passwords if needed. The passwords on the remote device will be queued for the immediate change after import.

7. Click the XML file link and select the related XML file on your device to upload.

8. Click Upload XML file.

Example XML File

The XML file should look like the example below, the comments are for explanation only and may be removed before importing, if desired.

Notes

• Leaving the <Permissions> tag empty for a folder will cause that folder to inherit permissions from its parent folder.
• Leaving the <Permissions> tag empty for a secret will cause it to inherit permissions from its folder.
• To add a line-break within a Notes field use ##BR##.

Sample XML

<?xml version="1.0" encoding="utf-16"?>

<ImportFile xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">

  <Folders>
    <Folder>
      <FolderName>Customers</FolderName>
      <FolderPath>Customers</FolderPath>
      <Permissions>
        <Permission>
          <View>true</View>
          <Edit>true</Edit>
          <Owner>true</Owner>
          <UserName>admin</UserName>

        </Permission>
        <Permission>
          <View>true</View>
          <Edit>false</Edit>
          <Owner>false</Owner>
          <GroupName>Auditors</GroupName>
        </Permission>
      </Permissions>
    </Folder>
    <Folder>
      <FolderName>Customer A</FolderName>
      <FolderPath>Customers\Customer A</FolderPath>
      <Permissions />

    </Folder>
  </Folders>

  <Groups>
    <Group>
      <GroupName>Other Administrators</GroupName>
      <GroupMembers>
        <GroupMember>
          <UserName>admin2</UserName>
        </GroupMember>
        <GroupMember>
          <UserName>DomainAdmin</UserName>
          <Domain>http://testdomain.test.com</Domain>
        </GroupMember>
      </GroupMembers>
    </Group>
    <Group>
      <GroupName>Domain Administrators</GroupName>
      <Domain>http://testdomain.test.com</Domain>
      <GroupMembers>
        <GroupMember>
          <UserName>DomainAdmin</UserName>
          <Domain>http://testdomain.test.com</Domain>
        </GroupMember>
      </GroupMembers>
    </Group>
  </Groups>
  <SecretTemplates>

    <secrettype>
      <name>Windows Account</name>
      <active>true</active>
      <fields>
        <field isexpirationfield="false">
          <name>Resource URL</name>
          <mustencrypt>false</mustencrypt>
          <isurl>false</isurl>
          <ispassword>false</ispassword>
          <isnotes>false</isnotes>
          <isfile>false</isfile>
          <passwordlength>0</passwordlength>
           <historylength>0</historylength>
          <isindexable>false</isindexable>
        </field>
        <field isexpirationfield="false">
          <name>Username</name>
          <mustencrypt>false</mustencrypt>
          <isurl>false</isurl>
          <ispassword>false</ispassword>
          <isnotes>false</isnotes>
          <isfile>false</isfile>
          <passwordlength>0</passwordlength>
           <historylength>0</historylength>
          <isindexable>false</isindexable>
        </field>
        <field isexpirationfield="false">
          <name>Password</name>
          <mustencrypt>true</mustencrypt>
          <isurl>false</isurl>
          <ispassword>true</ispassword>
          <isnotes>false</isnotes>
          <isfile>false</isfile>
          <passwordlength>12</passwordlength>

           <historylength>2147483647</historylength>
          <isindexable>false</isindexable>
        </field>
        <field isexpirationfield="false">
          <name>Notes</name>
          <mustencrypt>false</mustencrypt>
          <isurl>false</isurl>
          <ispassword>false</ispassword>
          <isnotes>true</isnotes>
          <isfile>false</isfile>
           <passwordlength>0</passwordlength>
          <historylength>0</historylength>
          <isindexable>true</isindexable>
        </field>
      </fields>
      <expirationdays>0</expirationdays>
    </secrettype>
 </SecretTemplates>
 <Secrets>
    <Secret>
      <SecretName>Test Secret</SecretName>
      <SecretTemplateName>Windows Account</SecretTemplateName>
      <FolderPath>Customers\Customer A</FolderPath>
      <Permissions>
        <Permission>
          <View>true</View>
          <Edit>true</Edit>
          <Owner>false</Owner>
          <GroupName>IT Admins</GroupName>
        </Permission>
        <Permission>
          <View>true</View>
          <Edit>true</Edit>
          <Owner>true</Owner>
          <UserName>admin</UserName>
        </Permission>
      </Permissions>
      <SecretItems>
        <SecretItem>
          <FieldName>Resource URL</FieldName>
          <Value>10.10.0.25</Value>
        </SecretItem>
        <SecretItem>
          <FieldName>Username</FieldName>
           <Value>Administrator</Value>
        </SecretItem>
        <SecretItem>
          <FieldName>Password</FieldName>
          <Value>D*KGY#$5</Value>
        </SecretItem>
        <SecretItem>
          <FieldName>Notes</FieldName>
          <Value>Just some notes##BR##...and some more notes on a new line. </Value>
        </SecretItem>
      </SecretItems>
    </Secret>
    <Secret>
      <SecretName>Another Test Secret</SecretName>
      <SecretTemplateName>Windows Account</SecretTemplateName>
      <FolderPath>Customers\Customer A</FolderPath>

      <Permissions />
      <SecretItems>
        <SecretItem>
          <FieldName>Resource URL</FieldName>
          <Value>10.10.0.25</Value>
        </SecretItem>
        <SecretItem>
          <FieldName>Username</FieldName>
          <Value>JSmith</Value>
        </SecretItem>
        <SecretItem>
          <FieldName>Password</FieldName>
          <Value>DKud3()DS</Value>
        </SecretItem>
         <SecretItem>
          <FieldName>Notes</FieldName>
          <Value>This line has an empty line##BR####BR##in between this line.</Value>
        </SecretItem>
      </SecretItems>
      <SecretDependencies>

        <SecretDependency>
          <Active>true</Active>
          <Restart>true</Restart>
          <Description>Some Dependency</Description>
          <MachineName>192.168.99.1</MachineName>
          <DependencyName>Some Service</DependencyName>
          <Type>Windows Service</Type>

          <PrivilegedAccount>Some Account</PrivilegedAccount>
          <WaitBeforeSeconds>10</WaitBeforeSeconds>
        </SecretDependency>
      </SecretDependencies>
    </Secret>
  </Secrets>
</ImportFile>