Secret Expiration Overview

Secret expiration is a core feature of Secret Server that enhances security by ensuring sensitive data is regularly reviewed and updated. Secret expiration allows any template to be set to expire within a fixed time interval. For a secret to expire, a specific field, such as a password, must be selected as the target of the expiration. For example, a secret template for Active Directory accounts might require a password change every 90 days. If the password remains unchanged past the specified time, the secret is considered expired and appears in the Expired Secrets panel on the Dashboard or Home page.

Benefits

  • Security: Reminds users to review and update sensitive data regularly.
  • Compliance: Helps meet compliance requirements that mandate regular password changes.
  • Automation: When combined with RPC, Secret Server can automate the process of changing passwords regularly.

Setting Up Secret Expiration

  1. Enable Expiration on the Template:

    • In the Template Designer, enable the Expiration Enabled? checkbox.
    • Set the number of days until expiration and select the field to be updated upon expiration.

  2. Enable Expiration for Individual Secrets:

    • Once expiration is enabled for a template, it applies to all secrets created using that template.
    • Users with Owner permission can set custom expiration intervals for individual secrets via the Overview tab on the Secret View page.

Managing Expired Secrets

  • Forcing Expiration: Users can manually force a secret to expire immediately by clicking Expire Now on the Secret View page.
  • Resetting an Expired Secret: Change the field that has expired to reset the expiration interval.
  • AutoChanging an Expired Secret: Enable AutoChange to allow Secret Server to automatically change the password when it expires. This requires enabling RPC and configuring it on the individual secret.
  • Retry Interval: Secret Server checks for expired secrets every minute. If a password change attempt fails, it will retry based on the template's retry interval, which defaults to one hour.