Securing the Encryption.config File

Security is a process—not a product. Take a look at the Security Hardening Guide to ensure your implementation of Secret Server has optimal security. The guide contains more in-depth recommendations for not only configuring the application in a secure manner but also hardening the server or servers Secret Server is hosted on. That guide complements the information provided here.

One of the most important areas for Secret Server hardening is protecting the encryption.config file that is created during installation. After the product is installed, this file exists in the main \SecretServer\ directory. It is a very important file. This file (unencrypted), along with a backup of your Secret Server database, is all you need to get a Secret Server environment back up and running. Thus, it is imperative that you protect it. There are two ways to protect the encryption.config for on-premises Secret Server and two others for Secret Server Cloud.

Secret Server On-Premises

For an on-premise installation of Secret Server, we recommend protecting your encryption.config file with an HSM. When using an HSM, though, there are other things that you should be mindful of:

  • Is the HSM highly available?
  • Is the HSM capable of handling a high volume of access requests?
  • What methods are available for retrieving the key from a backup if my HSM were to crash?
If your HSM is down and you do not have backups, there is nothing we can do to help recover your data. Carefully consider the configuration of an HSM for protecting encryption.config.

A second, less secure, option for protecting the encryption.config file is to use DPAPI combined with EFS. DPAPI is a setting that is enabled on each Web server within your Secret Server cluster. EFS adds an additional password to the encryption.config file. It is worth noting that both protection mechanisms can be compromised if an attacker were to log on interactively to Secret Server's Web servers and become a local administrator. Give careful consideration to securing remote access to Secret Server when leveraging DPAPI and EFS.

We recommend storing an unencrypted copy of the encryption.config file for disaster recovery scenarios where the Secret Server Web server is irrecoverable. Make a backup of this file immediately after installation (before securing it with a HSM or DPAPI + EFS) and to store the file on one or more media devices such as a hardware encrypted USB drive. The device should then be placed in a secure location, such as a safe. Access to the device should go through a chain of custody process in the event of an emergency where the original file is needed.

Secret Server Cloud

If you are using Secret Server Cloud, there are two main methods for protecting your encryption.config file:

  • Delinea owns your encryption.config file and is responsible for keeping it secure. We put internal mechanisms in place to ensure that Delinea does not have access to your data without your explicit permission. Refer to the Trust Center for more information.
  • You configure a connection to AWS KMS to protect the encryption.config file. The master key is stored in AWS and under your complete control, inaccessible to Delinea staff

See AWS Key Management in Secret Server Cloud for more details.