Third Party Key Management in Secret Server Cloud

Managing your own encryption key or using a third-party provider, such as Amazon Web Services Key Management Services (AWS KMS) or Azure Managed HSM, has very serious ramifications if not carefully handled—you can lose access to your Secret Server data. When using a third-party key provider, Secret Server requires access to the third-party key for the website to be accessible and secrets to be available. If the third-party key is deleted, Secret Server becomes permanently unable to decrypt any data—all access to secrets is lost. If the credentials that Secret Server uses to access the third-party key are blocked or disabled, the Secret Server website becomes inaccessible until the prior credentials are restored by the customer.

Introduction

Secret Server protects your secrets using a master encryption key, as well as an additional intermediate encryption key that is unique for each secret. These effectively act as internal passwords that Secret Server itself needs to unlock your data, for example, any time you view or update a secret.

Key Management in Secret Server Cloud (SSC) allows you to add an additional layer of encryption using a third-party provider to protect these encryption keys for added protection and control. To do this, you must first set up your own encryption key with a third party that you fully control, and then provide Secret Server limited access to it. This external encryption key is used to protect the Secret Server encryption keys. You can revoke Secret Server’s access at any time if the need arises, rendering secrets unusable.

Once enabled, if you delete your external third-party encryption key or the credentials you gave Secret Server no longer work, you will not be able to access your existing secrets.

You can change your key management configuration through Secret Server’s user interface or by using the REST API. If key management has already been enabled, you can switch to a new configuration or disable key management completely. To make any change, your existing key management configuration must still be valid, so your secrets and the master encryption keys can be converted to the new configuration. Your new settings are validated before they can be saved.

Secret Server Cloud currently supports the AWS Key Management Service and the Azure Managed HSM Service. It does NOT support Azure’s Key Vault due to performance limitations of that service.

Azure Managed HSM Service

The Azure Managed HSM Service is a highly available, managed single-tenant cloud service for creating, managing, and using encryption keys, using FIPS 140-3 Level 3 validated HSMs.

Although Managed HSM is supported and is under the Key Vault branding of Azure, we do not support the non-Managed HSM Key Vault (Standard or Premium) service. Please see What is Azure Key Vault Managed HSM, for more information on security, pricing, SLA, and more.

Azure Managed HSM Guidelines and Best Practices

  • The Managed HSM service must be located in the same region as your cloud subscription. Contact Delinea support if you have any questions about what region this is.

  • Only an AES 256 symmetric key is supported at this time. No other key will work.

  • You will be fully in charge of managing your keys, key availability, security settings, etc. A misconfiguration or Azure outage unrelated to Secret Server can block your access to Secret Server as it no longer can access the underlying encryption key. Read and follow all best practices for soft-delete, purge protection, security domain backup, full backups, and replication.

  • Managed HSM offers the ability to configure automatic key rotation through the CLI.

    We do NOT recommend configuring this setting, as it can disable the previous key after expiration.

    To rotate your key, use the UI to create a new version, and switch Secret Server to the new version. Then after a day, ensure the key rotation was successful, that secrets are readable, and then consider setting an expiration date or disabling the previous version.

  • You are responsible for ensuring that the configured app registration client secret that Secret Server uses to access the key is not expired, and for updating the client secret before it expires.

Amazon Key Management Service

Key Management Service (KMS) is a managed service provided by AWS that allows you to create, manage and use encryption keys for your applications and services. With KMS, you can create symmetric keys or asymmetric keys to encrypt and decrypt data. These keys can be used to protect sensitive data such as passwords, credit card numbers, or personally identifiable information (PII).

A KMS key is a cryptographic key used to encrypt and decrypt data stored in Amazon Web Services (AWS) such as S3, EBS, or RDS. KMS keys are stored securely in the AWS Cloud, and you can control access to them by using IAM (Identity and Access Management) policies. You can also use KMS to audit key usage and generate key usage reports.

For details on AWS KMS pricing see AWS Key Management Service Pricing. Secret Server Cloud requires one AWS Key ("CMK"), and the number of requests per month will vary depending on how often secrets are accessed.

Configuring Key Management

To enable key management, you will first create an encryption key with your third-party provider, then an API account that Secret Server will use in order to access the key. After the external encryption key is setup, you will update Secret Server with the details.

Changing your key management settings will trigger "maintenance mode" and a secret key rotation that will re-encrypt all your secret keys. No one will be able to access secrets until the rotation finishes, and it must finish successfully before further key management changes can be made.

By navigating to Secret Server’s key management page, you can change your key management settings, as well as view the audit history showing all key management updates.