External Secrets

The external secrets feature, a type of distributed vaulting, integrates Secret Server with external secret management systems, such as Azure Key Vault Integration or AWS Secrets Manager Integration.

What Is Distributed Vaulting?

Distributed vaulting is a security approach that stores and manages sensitive data, such as encryption keys, secrets, and certificates, across multiple locations, systems, or environments. This decentralized architecture provides several benefits:

  • Centralized Secret Control: Store, manage, and rotate secrets from a single interface. Enforce consistent access policies and permissions across all secrets. Unified view of all secrets with a single source of truth.
  • Competitive Advantage: By implementing distributed vaulting, organizations can gain a competitive advantage by enhancing security, agility, compliance, and customer trust while reducing costs and improving business continuity.
  • Enhanced Availability: Data is available even if one location or system is compromised or experiences downtime.
  • Improved Development Environment: Securely manage all cloud secrets without impacting developer velocity or CI/CD pipelines. CI/CD (Continuous Integration or Continuous Deployment) pipelines are automated workflows that streamline the software development process. They integrate, test, build, and deploy code changes, ensuring faster, more reliable, and higher-quality software releases.
  • Improved Security: By spreading sensitive data across multiple locations, you reduce the attack surface and make it more difficult for unauthorized access.
  • Increased Scalability: Distributed vaulting allows for easier expansion and adaptation to growing security needs.
  • Connecting with Your Legacy Delinea Vault: Integrating Secret Server On-Premises with Delinea Platform.
  • Reduced Single Point of Failure: No single location or system holds all sensitive data, minimizing the risk of catastrophic data loss.

Terminology and Concepts

External vault integration uses several new terms and concepts. Some of the term definitions are slightly different than common usage.

Auditing

All changes to linked secrets are audited and the audit grid indicates how many items we changed. Expanding the panel by clicking on the row shows the changeset that includes the changes for each update. Permission updates include what permissions were assigned or removed from which user.

Creating a Vault

"Creating a vault" links an existing external vault to Secret Server. You are not creating the actual external vault. That is, you are creating its internal representation within Secret Server with the external vault. The name must exactly match the name of an already existing external vault. For AKV, the credential secret should have Get, List, and Set permissions within Azure under Secret Management Operations.

New Vault Initial State

After successfully validating the connection to the external vault you are prompted to pull in the matching information from the vault. This process only pulls in links to the existing external secrets inside Secret Server. At this point, no data is updated in the external vault.

Secrets first appear as disabled. A disabled secret means Secret Server will not push or pull any data to or from the external vault for that secret.

External Secret

An external secret is a secret inside Secret Server that is linked with a secret in an external vault. It is called an external secret because it represents a linked secret in the other vault.

In short, an external secret is mostly just a metadata mapping to a secret in the external vault.

External Secret Fields

An external secret contains the following fields, which are available on the External Secret page:

  • External Vault: The vault on the external machine that contains its matching secret.
  • Name: The name of the secret, which cannot be changed.
  • Last Push: Indicates the last time a change was pushed to the linked secret on the external vault.
  • Linked Secret: A secret in Secret Server that is connected to the external secret and thus to a secret in the external vault. Any changes to it are pushed to the external secret.
  • Transform: The formula used to push changes to the linked secret on the external server. For example: Machine: $secret.field.machine; Password $secret.field.password would push the value of the machine and password fields into the the linked secret in the external vault. There is a formula editor that shows available fields once a secret is selected.

An external secret can have one of the following states:

  • Enabled: Indicates the secret is live and any changes to it triggers an update to the external vault.
  • Disabled: Indicates the secret cannot receive any changes. That is, no changes can be pushed to this secret from the external vault.

External Secret Actions

There are several actions that can be taken with an external secret:

  • Set External Value: This function accepts any text and assigns it to a secret in the external vault. This function does not require a linked secret or transform and will ignore any of those and just assign the value that is entered.
  • View External Value: View the current value for a secret in the external vault, not necessarily a linked secret.
  • Push: Merge the transform data from the linked secret and update the value in the external vault. New versions of the external secret will only be added if it has changed values.
  • Edit: Edit the secret's metadata.

External Secret Grid

The external secret grid provide a central location in Secret Server to manage external secrets. When selecting external secrets in the grid, you can select to push or edit these items. Bulk edits allow you to update and link multiple external secrets at once.

External Vault

External vault is a vault that is outside of Secret Server—one AKV or AWSSM is hosting. That external vault is where default permissions are assigned via the connector, and you can perform a couple of actions on that vault:

  • Push: Update any active secrets in the external vault that are linked with a transform to Secret Server.
  • Pull: Retrieve all the secret names in the external vault and create a pointer record.
  • Synchronize: Performs a pull (from the external vault) and then a push (to the external vault). Once completed both Secret Server and the external value are updated with the other's changes.

Permissions

Permissions are assigned to the external vault and any secret within the vault uses those permissions by default. On each secret, you can override the vault permissions and assign completely different permissions.

Role Permissions

Go to Settings > Roles > Administrator > Permissions tab to set these permissions.

Role permissions:

  • Create External Vault Links: Can setup a connection to an existing external vault. Can then assign permissions to other users.
  • View External Vaults: Can access the external vault feature but cannot manipulate external vaults.

External Vault Permissions

Vault permissions govern what a Secret Server user can do with the external vault. For example, in AKV:

  • Edit Vault: Can change the settings for the vault.
  • Edit Vault Permissions: Can assign any permission to any user on the vault.
  • Pull: Can execute a pull on the vault.
  • View External Values: Can view or set a remote value on any secret within the vault. The user also needs "View Remote Value" or "Set Remote Value" on the secret.
  • View Vault: Can view the vault and all information, including permissions.

Vault Secret Permissions

These permissions can be defined on the external vault as well as each secret. The values assigned on the vault are the default permissions used by any secret that inherits permissions from the vault.

Note: When viewing a Delinea Secret, an “External secrets” tab appears that lists all of the external secrets linked to the secret.

External vault secret permissions:

  • Edit External Secret: Able to change any of the fields on the secret including status, linked secret, and transform.
  • Edit External Secret Permissions: Can assign any permission to the secret.
  • Push: Can run the push action which will apply the linked secret to the transform and then push or update that value in the external vault.
  • Set External Secret Remote Value: Can assign a free-form value directly to the external secret. Requires ‘View external values’ on the parent vault.
  • View External Secret: Can view the secret and any of the associated information such as permissions and auditing.
  • View External Secret Remote Value: Can retrieve and view the actual value for the secret in the external vault. Requires "View External Values" on the parent vault.