Secret Vault - Documentation

Walkthrough Demo

Take a tour with our interactive demo.

Permissions and Inheritance

Permissions can be applied at each folder level. All users can create new folders at the root. A user automatically receives Owner access for new folders. Permissions can be given to a User directly, or via a Security Group.

Permissions

The following permissions are available to select for each user or group and folder.

  • Read: Grants read access to the folder and all secrets directly within the folder.
  • Write: Grants access to rename the folder, and update the secrets directly within the folder.
  • Create: Grants access to create subfolders and secrets within the folder.
  • Delete: Grants access to delete the folder and all secrets directly within the folder.
  • Share: Grants access to modify permissions for the folder, and toggle inheritance. Note: This allows users to grant others any level of access, even higher than their own.

Roles

The following predefined roles are available, which include a set of permissions by default.

  • Owner: Full access (Read, Write, Create, Delete, Share).
  • Contributor: Read, Write, and Create access.
  • Reader: Read-only access.
  • None: No access.

Inheritance

Users with the Share permission for a folder can toggle Inheritance from the Permissions screen. This is On by default, and allows the parent folder permissions to apply by default, unless explicity overwritten.

Permissions set directly at the folder level take priority over inherited permissions. E.g. if a user has Read: Allow (Inherited) from the parent folder, but Read: Deny for the current folder, the user will effectively have Read: Deny.

Group Permissions

Permissions are additive. Users can receive access to a folder via their direct User permission, and also via one or more Group permissions. Access is determined by least restrictive permissions, where Allow takes priority over Deny.

E.g. if a user is directly given Read: Deny to a folder, but via a group is given Read: Allow, the user will effectively have Read: Allow.

This also applies to inherited permissions. E.g. if a user has Read: Allow (inherited) from the parent folder for one Group, but has Read: Deny for another Group, the user will effectively have Read: Allow.

Adding One-Time Password

Timed One-Time Passwords can be added to your secrets to generate a TOTP code for multi-factor authentication. (Also known as an Authenticator App)

  1. From any Secret, select More options, and Add One-Time Password.
    Add One-Time Password


  2. Enter the One-Time Password Secret Key from the login provider. If a QR code is available, you can use the QR Code button to scan the code.
    Note: Refer to the specific type of login below for how to get the Secret Key.
    Enter the Secret Key


  3. Save to securely store the One-Time Password Secret Key. Reopen the Secret to see the TOTP Code generated every 30 seconds. Copy this to use when logging in with the account.
    Copy the TOTP Code

Microsoft

Obtaining a One-Time Password Secret Key for your Microsoft account is easy with the following steps:

  1. Go to https://aka.ms/mfasetup and log in with your Microsoft account.


  2. Select Add sign-in method.
    Add sign-in method


  3. Select the Authenticator app sign in method.
    Authenticator app


  4. Select I want to use a different authenticator app when asked whether to use the Microsoft Authenticator.
    Note: The Microsoft Authenticator option provides a different QR Code that is not compatible with other apps.
    Use a different authenticator app


  5. Scan the QR Code using the QR Code button beside the One-Time Password Secret Key field from your Secret.
    -Or-
    Select Can't scan image? and copy the Secret Key into the One-Time Password Secret Key field.
    Copy Secret Key


  6. Select Next and enter the One Time Password Code generated from the Secret after saving, and Next again to complete the setup.
    Verify Code

Google

Obtaining a One-Time Password Secret Key for your Google account is easy with the following steps:

  1. Go to https://myaccount.google.com/two-step-verification/authenticator and log in with your Google account.


  2. Select Set up authenticator.
    Set up authenticator


  3. Scan the QR Code using the QR Code button beside the One-Time Password Secret Key field from your Secret.
    -Or-
    Select Can't scan it? and copy the setup key into the One-Time Password Secret Key field.
    Scan QR Code


  4. Select Next and enter the One Time Password Code generated from the Secret after saving, and Verify to complete the setup.
    Verify Code

Other

Obtaining a One-Time Password Secret Key for other types of logins can vary between different providers.

Any 2FA or MFA that supports TOTP (Timed One-Time Password) codes can be added. Find the QR Code or Secret Key for setting up an Authenticator App, and enter this into the One-Time Password Secret Key field for your Secret.

Secret Keys should be a valid Base 32 string of characters.

TOTP Codes are a universal standard that work with most types of MFA.

Enter the Secret Key