The Vault

Introduction

Have the option of enabling an additional security layer to your most sensitive passwords. With Vault, host-proof hosting (or, local-only encryption/decryption) is designed to allow a user to encrypt and decrypt exclusively at the endpoint level in the user’s browser with a user-specific passphrase rather than leaving it to the IT Glue system.

Enabling the Vault allows you to implement an additional layer of security to specific passwords that you deem sensitive. The Vault can help you further protect your data against any malicious intent.

A few important notes regarding Vault:

  • Vault is not a personal password function, rather a means for adding another layer of security to your most vital passwords.
  • You will only be able to export vaulted passwords from the Organization’s Password list view.
  • Store your user passphrase somewhere safe. We recommend storing it as a password record in IT Glue within your primary organization.
  • We strongly recommend that you have at least two administrators configured for Vault so that in the case that an IT Glue administrator forgets their passphrase, your vaulted passwords are not lost. Should you be the sole administrator of the Vault and forget your passphrase, there will be no way to recover your access.
  • At this time, we only support the latest Chrome and the Chromium-based Edge browsers for Vault.

Instructions

Enabling Vault & Setting Your Passphrase

An IT Glue Administrator is required to enable Vault for the IT Glue account. You can grant access to other users following the initial enablement. Note that once Vault is enabled, you will not be able to disable it.

Initial enablement:

  1. Navigate to Account > Settings > Vault tab.


    The_Vault_-_DRAFT_-_Google_Docs-2-2.png

  2. Enter a unique passphrase. This passphrase should be kept secret (we recommend documenting it as a password in IT Glue) and will be used for:
    • Accessing password(s) in the Vault,
    • Updating password(s) in the Vault,
    • Granting access to other users with their own individual passphrase to the Vault,
    • Storing passwords in the Vault, and
    • Removing passwords from the Vault.
    Tip! Click the View (eye icon) if you wish to view the passphrase as you enter it.


    The_Vault_-_DRAFT_-_Google_Docs-2.png

  3. Re-enter to confirm your passphrase and click Set Passphrase. Now, all Vault-related functionality will be accessible to you via this unique passphrase.
    Important! Store this passphrase somewhere safe. We recommend a password record in IT Glue within your primary organization.

(Optional) Configuring Passphrase Sessions Expiry Time

By default, any action involving a password in the Vault will require the user to enter their passphrase to perform the decryption and encryption on the local browser. To change this behaviour, an administrator can change the duration that the local browser holds onto the user’s passphrase in the “Vault” tab of the Account Settings page. It is important to note that a user’s passphrase never leaves the local browser.

Leaving the duration at the default 0 hours and 0 minutes means that a user will be prompted for their passphrase every time they interact with Vault (i.e. encryption and decryption of passwords). Use the pickers in the hour and minute cells to adjust the values and then click Set Expiry.

The_Vault_-_DRAFT_-_Google_Docs-3.png

When a non-zero input is entered, a user’s passphrase can be entered once and will be retained by the browser for the specified duration. If the user logs out prior to the duration expiring, the passphrase will be discarded from the local browser and the user will be prompted for their passphrase on their next action that interacts with the Vault.

The_Vault_-_DRAFT_-_Google_Docs.png

Note: At this time, the passphrase session expiry time only applies to desktop browsers. The mobile app and Chrome Extension will prompt for a passphrase on every interaction with Vault.

Requesting Access to Vault

Once Vault is enabled on the account by the administrator, a user must first request access to the Vault to view vaulted passwords. Users are to follow the steps below:

  1. Log in to IT Glue.
  2. In the top navigation bar, the user will click on the profile icon and select Vault from the drop-down menu.


    Passwords___IT_Glue-4.png

  3. Enter a unique passphrase, confirm the passphrase, and click Set Passphrase to complete the setup.


    The_Vault_-_DRAFT_-_Google_Docs-4.png

  4. The administrators will receive an email notification of the user's request and can then grant them access within the Vault. Administrators must refer to the next section, "Granting Users Access to the Vault".


    email-2.png

Granting Users Access to Vault

Once Vault is enabled on the account and the user requesting access has setup their passphrase, the IT Glue Administrator can grant them access to the Vault.

Important! We strongly recommend that you have at least two administrators configured for Vault so that in the case that an IT Glue administrator forgets their passphrase, your vaulted passwords are not lost. Should you be the sole administrator of the Vault and forget your passphrase, there will be no way to recover your access.
  1. Navigate to Account > Settings > Vault tab
  2. Users who have requested access will appear in the Vault list view. The page displays the following information: 
    • Name - User's first and last name.
    • Email - Email address of the user.
    • Access - You will see either a “Grant” or “Revoke” button for each user. "Grant" indicates that this user is requiring access to the Vault. "Revoke" indicates that this user currently has access to the Vault.
  3. Locate the user requesting access in the list view. You can also use the top search bar or filter by Type to narrow your search.


    Account_Settings___IT_Glue-4-2.png

  4. Click the Grant button beside their email address in the Access column.

Revoking User Access to Vault

Administrators can also revoke a user’s access to the Vault in the case there is a departure from the company.

  1. Navigate to Account > Settings > Vault tab.
  2. Locate the user to be revoked in the list view. You can use the top search bar or filter by Type to narrow your search.
  3. Click the Revoke button in the Access column.

Managing Your Passphrase

Once a user is granted access, they can change their passphrase at any given time.

  1. In the top navigation bar, the user will click on the profile icon and select Vault from the drop-down menu. They will be led to a Change Vault Passphrase page.
  2. Users will enter their current passphrase, their new passphrase, and then confirm the new passphrase.


    Dashboard___IT_Glue-2-2.png

  3. Clicking Set Passphrase confirms the change. 

Adding/Removing Passwords to and from the Vault

  1. Navigate to Organization > Passwords. Whether you are editing an existing password or creating a new one, you can add the password to the Vault by checking the Store in Vault checkbox in the Create/Edit view.


    IT_Glue_Vault_-_Limited_Release_FAQ_-_Google_Docs.png

  2. To add multiple passwords to the Vault, select all the required passwords in the Organization > Passwords list view. Then, click the bulk actions dropdown menu and click “Store in Vault”.


    Passwords___IT_Glue.png

  3. To remove multiple passwords from the Vault, select all the passwords in the Organization > Passwords list view. Then, click the bulk actions dropdown menu and click “Remove from Vault”.
  4. In all Password list views within IT Glue, vaulted passwords can be identified by the shield icon in the Vault column.


    Passwords___IT_Glue-3.png

    Note: Due to browser-specific constraints, the copy to clipboard function for vaulted passwords is not supported in Firefox or Safari browsers.

Accessing Vaulted Passwords in Chrome Extension

In the below scenarios using the IT Glue Chrome Extension, a user will be prompted to enter their unique passphrase to view the vaulted password:

  • Viewing the password record and clicking the show password button (eye icon).
  • Viewing the password record and clicking the copy button.
  • Clicking the password record and landing on the password’s URL page with the password auto-filled.
  • Visiting a webpage which autofills the username and password.


    Quick_guide_for_the_IT_Glue_Chrome_Extension___IT_Glue_Knowledge_Base-2.png

A user lacking a Vault passphrase will be prompted to set one up in the web application. The vault administrator will then need to grant them access to the Vault.

Accessing Vaulted Passwords in the IT Glue Mobile App

In the below scenarios using the IT Glue or MyGlue Mobile App, a user will be prompted to enter their unique passphrase to view the vaulted password:

  • Viewing the password record and clicking the show password button (eye icon).
  • Pressing and holding over a password value to copy the password.

Again, a user lacking a Vault passphrase will be prompted to set one up in the web application. The vault administrator will then need to grant them access to the Vault.

A note on exporting

We currently do not allow the ability to export vaulted passwords via Runbooks, single-asset PDF exports, nor the Account export features. This is to ensure that all vaulted passwords are not left vulnerable to parties that are not granted Vault access.

Vaulted passwords cannot be exported via Runbooks, single-asset PDF exports, or Account Export due to the nature of the action. When a runbook or export is prepared, this action happens in the background where vault decryption cannot happen which would mean storing a user's passphrase somewhere other than the local device.

Exporting via an Organization’s Password list view is still possible for vaulted passwords. Such an export will require the user’s unique passphrase which will be stored in the local browser until the exported .CSV file is produced.

Was this article helpful?
1 out of 3 found this helpful
Have more questions? Contact us