Erasing Secrets

Erasing a secret permanently destroys (scrambles) the secret's data and makes the secret less visible to both users and admins. For users who have access to inactive secrets, however, the secret is still visible in the folder view for auditors and other secret users to confirm data destruction.

Erasure is primarily for regulatory compliance. Deactivation is for day-to-day operations.

Erasing and deactivating secrets are not the same thing. When deactivated, secrets are not removed forever. This maintains an audit trail for secrets, even ones that are no longer used. Administrators or users with specific permissions can view or even reactivate deactivated secrets. See Deactivating and Reactivating Secrets for details.

We strongly recommend against erasing large numbers of secrets, which negatively affects performance over time. Secret Server is not designed to handle large numbers of erasures. Erased secrets continue to use database table resources forever even though their data is destroyed. Erasure is not for cleaning up the secret database.

Ownership and the Erase Secret permission are required to erase a secret. In addition, the erasure must go through an approval process. Users cannot approve their own erasure.

These instructions assume you know the basics of access requests, groups, roles, and permissions. We also suggest reading the introductory material for Workflow Overview if you are not familiar with it.

Task 1: Configuring Secret Erase

If secret erasure is already configured on this server and you are in the Secret Erasers group, you can skip to Task 2.

Ensure that you have a workflow license for Secret Server.
Go to Access > Roles in Secret Server.
Create a new role named "Secret Erase Requester" or "Secret Erase Administrator" (see Creating Roles for details), make sure the Enabled checkbox is selected.
Assign the Erase Secret permission to the secret you just created by accessing the Permissions tab for the role and selecting Edit:

In the Scope drop-down menu select All, so that all permissions available are shown, search for Erase Secret, select it, and click Save.

This role permission allows users with the role to create secret erase requests and view secret erase administration pages.
Go to Access > Groups. The Groups tab of the User Management page appears:
Create a group named "Secret Erasers", making sure the Enabled checkbox is selected. Once the new group is created its page loads automatically, click the Roles tab.
Click Edit, change the Scope to "All", and search for the role you just created, select it and click Save:
Click the Members tab to add yourself to the Secret Erasers group.
Go to Settings > General > Workflow.
Create a "Secret Erase Requests" workflow template, assigning it the Secret Erase Request type:
The workflow designer (Designer tab) loads automatically upon creation. In this tab, assign one or more users or groups as approvers by typing each in the search text box in the Add Groups / Users section and then selecting your choice when it appears. This selection then appears in the Approvers list box:

When satisfied, make sure the Enabled state is checked and click Save.

Typically the approvers you choose should be in the same group as those that can make the requests. You can, however, choose any groups or users you like or make a group just for approvals. It is important to note that the same user cannot make both the request and approve it, in order to avoid a single person making an irreversible, potentially very harmful, mistake.
Go to Settings > Configuration search > Secret erase configuration:
Click Edit and select the Enable secret erase checkbox. The Secret erase workflow dropdown list appears.
Choose from the dropdown list Secret Erase Request and click the Save button. Secret Erase is now set up.
If the < None > option is the only one available in the dropdown, you will not be able to complete the setup because a valid Secret Erase Workflow Template is required to enable Secret Erase.

Task 2: Erasing a Secret

Ensure the following requirements are met for the secret you intend to erase. Ensure the secret:
- Is inactive
- Is owned by you
- Does not have a pending secret erase request
- Is not double-locked
- Is not checked out by another user
- Is not a discovery secret
- Is not a domain sync secret
For this instruction, create a secret for testing in your personal folder to ensure all the requirements are met.
You can erase the secret via a dashboard bulk operation. Erase is accessed by the Bulk Actions button, with the Erase secrets option nestled under the Security section of the Bulk Actions popup. See Running Dashboard Bulk Operations for more details:

If the "Erase Secrets" link does not appear in the Security section as shown above, you may not have properly configured secret erase (see Task 1), you may have not have enabled the Secret Erase Workflow or the secret might not meet one of the requirements.
When you click the Erase Secrets link, the Erase Secrets popup appears:

This is where you set up an erase secrets request. When you complete the process, the access request is sent to the users or user group you designated earlier for approval.
Use the calendar and time widgets to set the Erase After Date. It must be a minimum of 24 hours away to give the erase secrets request time to process. If you set it to less than that, you cannot continue the process.
Type your reason for permanently erasing the secret or secrets in the Reason text box. The granter will need this to decide whether to let you take this irreversible, destructive action. Specifically, explain why a deactivation is not sufficient. A reason is mandatory for the request to be processed
Click the Erase button. A confirmation popup appears:
Pause a second, to make sure you are certain.
Click the Erase Secrets Forever button.

Errors might occur at this step if the secret is Active at the time of the request and/or if the there is no SecretId.
When the erase request is approved, the secret or secrets will be erased by an automated process after the "erase after" date and time arrives.