Vault Settings
The Vault Settings provide options to view and modify the default settings for the following:
- Vault Root Folder
- Rotation Policy
- Vault Restrictions
- Max Allowed Rotation Frequencies
- Add Pangea Tokens to Vault?
- IP Allow List
- IPs allowed to access Vault
To access Vault Settings, click Settings in the left navigation menu of the Vault service.
Vault Root Folder Settings
Configure the rotation policy settings to be used for Vault items in the root folder and click Save.
-
Key Points:
- Automatic Key Rotation - This feature ensures that keys are regularly updated, enhancing security and compliance.
- State Management - The policy allows you to control the accessibility and lifecycle of previous key versions.
- Options for Superseded Keys - Choose between deactivation (for auditing) or destruction (for permanent removal).
-
Additional Information:
- Current Key: The active key version used for encryption and decryption operations.
- Key Rotation Process:
- A new key version is generated.
- The current key version becomes the previous key version.
- The designated state (deactivated or destroyed) is applied to the previous key version.
You can configure Vault folders to inherit settings from their parent, or to have their own specific settings.
The default settings that can be specified are as follows:
- Rotation policy
- Rotate Every
- Definition: The frequency with which a Vault item should be rotated automatically.
- Frequency Options: Frequency can be specified in number of years, months, weeks, or days.
- Rotated key state
- Definition: The state that will be assigned to the previous version of a Vault item after it has been rotated and is no longer the active version.
- Available States:
- Deactivated (default): The key is no longer usable for encryption or decryption, but remains accessible for auditing or historical purposes.
- Destroyed: The key is permanently removed from the Vault and cannot be recovered.
- Grace Period
- Definition: The time period during which a rotated previous version of a Pangea token will be accepted as valid for use after rotation.
- Grace Period Options: Grace Period can be specified in number of years, months, weeks, or days.
- Rotate Every
The default maximum for rotation frequency is three years, but can be changed in the Vault Restrictions settings.
Encryption Key Settings These settings manage the rotation policy for encryption key Vault items. You can specify the frequency of key rotation and the rotated key state.
Signing Key Settings These settings manage the rotation policy for signing key Vault items. You can specify the frequency of key rotation and the rotated key state.
JWT Key Settings These settings manage the rotation policy for JSON Web Token (JWT) key Vault items. You can specify the frequency of JWT key rotation and the rotated JWT key state.
Pangea Token Settings These settings manage the rotation policy for Pangea token Vault items. You can specify the frequency of Pangea token rotation and the Grace Period for rotated Pangea tokens.
Vault Restriction Settings
Configure the maximum allowed rotation frequency for each type of Vault item and then click Save.
Security and compliance requirements provide guidance on how often keys, secrets, and tokens should be rotated. Use Vault Restriction Settings to set the maximum allowed period that each type of Vault item is allowed without rotation.
Encryption Key Restrictions Specify the maximum allowed rotation frequency for encryption key Vault items.
Signing Key Restrictions Specify the maximum allowed rotation frequency for signing key Vault items.
JWT Key Restrictions Specify the maximum allowed rotation frequency for JSON Web Token (JWT) key Vault items.
Pangea Token Restrictions Specify the maximum allowed rotation frequency for Pangea token Vault items.
Activity Log
This setting allows you to use Secure Audit Log to log Vault activity for security and compliance.
The Activity Log will make an entry every time there is a change (i.e. an item is created, updated, deleted or destroyed) to the following categories:
- Key
- Secrets
- Pangea Tokens
Add Pangea Tokens to Vault
Enabling this setting will ensure that all new Pangea tokens are added to the Vault as part of the token creation process. By default, it is set to Enabled.
IP Allow List
Restrict access to specific IP addresses, ranges, or subnets. By default, it is set to Disabled. Toggle the switch to enable or disable this setting, and the changes will be automatically saved.
The allowed IP entries must be a single IP, a CIDR, or an IP range.
In the IP Allow List window, the following warning is displayed by default.
Current IP Address not Allowed
Your IP Address is not within your allowed IP Addresses. To access the Secrets & Keys page you must include your current IP.
IP Address: XX.XX.XXX.XX +
You can add your IP address to the IP allow list by clicking the + sign and save button. Otherwise, click + IP Address to add an allowed IP address.
In the IP Allow List window, your IP address will appear if it falls within the categories of a single IP, a CIDR, or an IP range.
-
Allowed IP Addresses: Click + IP Address to add an allowed IP address. In the Add IP address window, enter the IP address inside the IP address box.
The following IP addresses/entries are allowed:
- 192.168.0.1 (single IP)
- 192.168.0.0/24 (CIDR)
- 192.168.0.100 - 192.168.0.200 (IP range)
Now, click Save to see the IP address listed in the Allowed IP Addresses pane.
To remove an IP address from the Allowed IP Addresses pane, hover your mouse over the IP address and click (⊖).
Was this article helpful?