Credential Vault encryption

The Automation 360 platform offers the embedded Credential Vault and provides an extensive set of safeguards to protect data at rest and in transit, but also while it is in use on individual systems.

Encryption keys and vault

During the Automation 360 installation process, the system generates an RSA 2048 bit public/private key pair and an AES 256 bit key. The private key of the RSA 2048 pair is referred to as the Master Key, while the AES 256 key is referred to as the Data Key. The Master Key is presented to the installing administrator for safekeeping in a physically secure location off system. The public key is used to encrypt the Data Key. Both the public key and the encrypted Data Key are then stored in the database. When in use, all keys and encrypted data are placed in encrypted secure memory using the Microsoft Data Protection API (DPAPI).

During Automation Anywhere Control Room startup or reboot, the administrator is prompted to supply the Master Key. The encrypted Data Key is retrieved from the database and decrypted using the Master Key. The Data Key is now ready for use. As the system stores and retrieves data from the Credential Vault, the Data Key is used to encrypt and decrypt that data.

vault is used to store all system managed credentials and critical system configuration data. It can also be used to store any other sensitive data used in an organization's automations. As a result, bot builders can avoid the insecure practice of hard-coding credentials and other sensitive data/ arguments directly within their automations.

Multi-layer authentication and fine-grained access control are essential for a tightly controlled environment. So is end-to-end data protection, which is also necessary to maintain the confidentiality and integrity of business-critical processes, sensitive data, and related credentials.

Master Key
This RSA-2048 bit key is managed and securely stored on a key management system. This key unlocks the Credential Vault. For On-Premises deployments, when the Credential Vault mode is set to manual and the Control Room cache service is restarted from all nodes, the administrator types the Master Key each time the Control Room is started. When the vault is open, the Master Key is immediately erased from memory and it is not stored anywhere in the Automation Anywhere platform.
Note:
  • On-Premises: Customers own the Master Key and need to ensure that the key is securely stored and maintained.
  • Cloud: Automation Anywhere owns the Master Key and ensures that the key is securely stored and maintained.
Data encryption key
This AES-256 bit key is stored in the Control Room database and is used to encrypt and decrypt the credentials at the time of storage or provisioning. This key is encrypted using the Master Key. The Data encryption key does not leave the Credential Vault at any time. Credential encryption and decryption are done at the Credential Vault.

Protection of data at rest

In addition to encrypting local credentials and selecting runtime data used by bots, the Credential Vault provides secure storage for sensitive configuration parameters and details pertaining to the integral version control and email services.