Erasing Secrets

Erasing a secret permanently destroys (scrambles) the secret's data and makes the secret less visible to both users and admins. However, for users who have access to inactive secrets, the secret is still visible in the folder view for auditors and other secret users to confirm data destruction.

Erasure is primarily for regulatory compliance. Deactivation is for day-to-day operations.

Erasing and deactivating secrets are not the same thing. When deactivated, secrets are not removed forever. This maintains an audit trail for secrets, even ones that are no longer used. Administrators or users with specific permissions can view or even reactivate deactivated secrets. See Deactivating and Reactivating Secrets for details.

We strongly recommend against erasing large numbers of secrets, which negatively affects performance over time. Verify Privilege Vault is not designed to handle large numbers of erasures. Erased secrets continue to use database table resources forever even though their data is destroyed. In short, erasure is not for cleaning up the secret database.
Ownership and the Erase Secret permission is required to erase a secret. In addition, the erasure must go through an approval process. Users cannot approve their own erasure.
This instructions assumes you know the basics of access requests, groups, roles, and permissions. We also suggest reading the introductory material for Workflow Overview if you are not familiar with it.

Task 1: Configuring Secret Erase

If secret erasure is already configured on this server and you are in the Secret Erasers group, you can skip to Task 2.
  1. Ensure that you have a workflow license for Verify Privilege Vault.

  2. Go to Admin > Roles in Verify Privilege Vault:

    image-20210712154841772

  3. Create a new role named "Secret Erase Requester" or "Secret Erase Administrator" (see Creating Roles for details), assigning it the "Erase Secret" permission:

    You can name the role anything you desire, but we recommend the above for clarity.

    image-20210712160005113

    The "Erase Secret" role permission allows users with the role to create secret erase requests and view secret erase administration pages.

  4. Go to Admin > Groups. The Groups tab of the User Management page appears:

    image-20210712160339577

  5. Create a group named "Secret Erasers" and give it the "Secret Eraser" role:

    image-20210712160559153

  6. Click the Members tab to add yourself to the Secret Erasers group.

  7. Go to Admin > Workflows:

    image-20210712161942480

  8. Create a "Secret Erase Requests" workflow template, assigning it the Secret Erase Request type. The Designer tab for the new workflow appears:

    image-20210712162416898

  9. Assign one or more users or groups as approvers by typing each in the search text box in the Add Groups / Users section and then clicking your choice when it appears. It then appears in the Approvers list box.

    We chose to have the approvers be the same group as those that can make the requests, but you can choose any groups or users you like or make a group just for approvals. The important thing is the same user cannot both make the request and approve it—that way, a single person cannot make an irreversible, potentially very harmful, mistake.
  10. Click the Save button. The result looks like this:

    image-20210712163351370

  11. Go to Admin > Configuration:

    image-20210712163513643

  12. Click the Security tab.

  13. Click the Edit button at the bottom of the page. The page becomes editable.

  14. Click to select the Enable Secret Erase check box in the Secret Erase section. The Secret erase Workflow dropdown list appears:

    image-20210712171701582

  15. Click the Secret Erase Workflow dropdown list and select Secret Erase Request.

  16. Click the Save button. Secret Erase is now set up.

Task 2: Erasing a Secret

  1. Ensure the following requirements are met for the secret you intend to erase—ensure the secret:

    • Is inactive
    • Is owned by you
    • Does not have a pending secret erase request
    • Is not double-locked
    • Is not checked out by another user
    • Is not a discovery secret
    • Is not a domain sync secret
  2. For purposes of this instruction, create a secret for testing in your personal folder. For now, do not use an existing one to ensure all the requirements are met.

  3. You can erase the secret via a dashboard bulk operation or from the More button on the top right of the secret itself. For a bulk operation, erase is accessed by the Bulk Actions button. Erase Secrets is in the Security section of the Bulk Actions popup. See Running Dashboard Bulk Operations.

    If the "Erase Secrets" link does not appear in the Security section (when erasing from the dashboard) or "Erase" is not available on the More button (when erasing from the General tab) you may have not properly configured secret erase (see Task 1) or the secret might not meet one of the requirements above.
  4. When you click the Erase Secrets link, the Erase Secrets popup appears:

    image-20210713103749404

    Here, you are essentially setting up a erase secrets request. The access request is sent to the users or user group you designated earlier.

  5. Use the calendar and time widgets to set the Erase After Date. It must be minimum of 24 hours away to give the erase secrets request time to process. If you set it to less than that, you cannot continue the process.

  6. Type your reasoning for permanently erasing the secret or secrets in the Reason text box. This is not tedium—the granter will need this to decide whether to let you take this irreversible, destructive action. Specifically, explain why a deactivation is not sufficient.

  7. Click the Erase button. A confirmation popup appears:

    image-20210713114236517

  8. Pause a second, and make sure you are sure.

  9. Click the Erase Secrets Forever button.

  10. When the erase request is approved, the secret or secrets will be erased by an automated process after the "erase after" date and time arrives.