Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

Securing secrets (e.g. API and encryption keys) with Centrify Privilege Service

11 April,19 at 11:50 AM

You may be familiar with storing shared account passwords and how to retrieve them via password checkouts using Centrify Privilege Service (CPS).  But did you know that in addition to storing passwords, you can now also store secrets such as API keys/tokens and encryption keys within CPS?  This short article will describe how you can store these secrets and make them available for use, while ensuring their security using role-based access control and multifactor authentication.


Note:  This is a preview of a CPS 17.6 feature, coming soon!


Step 1 - Adding a Secret

Log into Centrify Privilege Service and under the Infrastructure tab, look for the new "Secrets" feature.  Select that and then click on "Add Text" (for a string value such as an API key) or "Add FIle" (for a file such as an encryption key in a particular format).




In this example, we're storing an API key, so we'll chose "Add Text".  Give it a name and paste the string value of the Secret:



Click Save to store the secret.


Step 2 - Securing secrets - Access Control and MFA

In this example, we want to control who can access this API key from the CPS interface.  Let's restrict it to only developers working on a project called "Project X".  I've already created a role within CPS that has the members of the developer team associated with it.  To restrict access to the secret, simply:

i. Click on the secret

ii. Select Permissions --> Click Add

iii. Choose the Role - in this case "Project X - Developer" and click Add




iv. Finally, select the Role and give it the "Retrieve Secret" right, and click Save.  (Optionally the "Edit" right also, if you want to allow them to change the secret).




Optionally, you can set an MFA policy to require a multifactor authentication challenge be satisfied before access to the secret is granted.  To configure that, click on the "Policy" tab and configure the policy to your liking.  For brevity I simply set the Default Secret Access Challenge to correspond to my own MFA policy used for demos:



Step 3 - Retrieving a Secret

Select the Secret and using the Actions button, choose Retrieve



If MFA has been configured, you will need to satisfy the MFA challenge to verify that you are an authorized individual before continuing:



You can choose to hide/show the text or copy it to the clipboard.




In summary, Centrify Privilege Service allows you to store secrets such as API keys/tokens, encryption keys and make them available to authorized individuals using role-based access control and multifactor authentication.