Credential Vault encryption
- Updated: 2024/10/09
Credential Vault encryption
The Automation 360 platform offers the embedded Credential Vault and provides an extensive set of safeguards to protect data at rest and in transit, but also while it is in use on individual systems.
Encryption keys and vault
During the Automation 360 installation process, the system generates an RSA 2048 bit public/private key pair and an AES 256 bit key. The private key of the RSA 2048 pair is referred to as the Master Key, while the AES 256 key is referred to as the Data Key. The Master Key is presented to the installing administrator for safekeeping in a physically secure location off system. The public key is used to encrypt the Data Key. Both the public key and the encrypted Data Key are then stored in the database.
During Automation Anywhere Control Room startup or reboot, the administrator is prompted to supply the Master Key. The encrypted Data Key is retrieved from the database and decrypted using the Master Key. The Data Key is now ready for use. As the system stores and retrieves data from the Credential Vault, the Data Key is used to encrypt and decrypt that data.
The vault is used to store all system managed credentials and critical system configuration data. It can also be used to store any other sensitive data used in an organization's automations. As a result, bot builders can avoid the insecure practice of hard-coding credentials and other sensitive data/ arguments directly within their automations.
Multi-layer authentication and fine-grained access control are essential for a tightly controlled environment. So is end-to-end data protection, which is also necessary to maintain the confidentiality and integrity of business-critical processes, sensitive data, and related credentials.
- Master Key
- This RSA-2048 bit key is managed and securely stored on a key management system.
This key unlocks the Credential Vault. For On-Premises deployments, when the Credential Vault
mode is set to manual and the Control Room cache service is
restarted from all nodes, the administrator types the Master
Key each time the Control Room is started. When the
vault is open, the Master
Key is immediately erased from memory and it is not stored anywhere
in the Automation Anywhere platform.Note:
- On-Premises: Customers own the Master Key and need to ensure that the key is securely stored and maintained. See Configure Credential Vault Connection mode.
- Cloud: Automation Anywhere owns the Master Key and ensures that the key is securely stored and maintained.
- Data encryption key
- This AES-256 bit key is stored in the Control Room database and is used to encrypt and decrypt the credentials at the time of storage or provisioning. This key is encrypted using the Master Key. The Data encryption key does not leave the Credential Vault at any time. Credential encryption and decryption are done at the Credential Vault.
Protection of data at rest
In addition to encrypting local credentials and selecting runtime data used by bots, the Credential Vault provides secure storage for sensitive configuration parameters and details pertaining to the integral version control and email services.