Secret Store: Store and Access Secrets

Security > Secret Store Navigation Header


Screenshot of Add Secret Store in /appliance

Create and manage secret keys stored in AWS and BeyondTrust DevOps Secrets Safe (DSS) to securely store encryption keys and site data. To add a secret store, select the store from the dropdown, and then click Add Store. Provide and save the information for the store as shown in the steps below.


Screenshot of adding an AWS Secret Store in /appliance.

Add AWS Secret Store

  1. Provide the Access Key ID, Secret Access Key, and Region.
  2. Check the Rotate Access Key box only if you are not using the credential in any other system.
  3. Click Save Store.


Add BeyondTrust DevOps Secrets Safe Store

Screenshot of adding a DevOps Secrets Safe Store in /appliance.

  1. Enter the URL for your DSS instance.
  2. Provide the Application Name you configured within DSS.
  3. Provide the API key generated within DSS for the application.
  4. Enter the Secrets Scope you configured with permissions within DSS.
  5. If using a self-signed certificate in DSS, add the Trusted Certificate. If using a CA certificate, you do not need to provide a trusted certificate.
  6. Click Save Store.



Screenshot of Configured Secret Stores in /appliance

After a secret store is added, click Test to verify connectivity to the secret store server, and to ensure correct permissions are in place for the credentials to access the secret store server.


Edit KMIP Secret Store in /appliance

Configuring a KMIP server for an encryption store is no longer supported in version 6.0 and later versions. If you have a KMIP server configured for your encryption prior to version 6.0, your KMIP server will be migrated to the Secret Store list where you may edit, delete, and test it.




For added security, configure your AWS Identity and Access Management (IAM) Policy to limit access to resources matching BeyondTrust-* on the following permissions:
  • DescribeSecret
  • GetSecretValue
  • TagResource
  • UntagResource
  • CreateSecret
  • DeleteSecret
  • UpdateSecret

For more information on managing AWS IAM Policies, see Managing IAM Policies.

If you delete the last remote store, a message displays indicating secrets will be moved locally.