Vault

The vault lets you manage generic secrets and public/private key pairs used by your IAM configuration. You can reference these secrets and keys from iam-config.yaml (or medusa-configuration.xml ). The vault ensures that secrets and public/private key pairs are stored securely and access is restricted.

Note that vault contents are tenant-specific and references can only be used for referenced within the same tenant. If you want to make a configuration portable from one tenant to another, make sure to define identic secrets or key value pairs with the same ID in both tenants.

Prerequisites

To view vaults, you need the AMC - View vault role. To create or modify vault entries, you need the AMC - Manage vault role. Both roles are included in the SaaS Administrator role by default, but can also be assigned separately. For details, see SaaS roles and permissions.

Managing generic secrets

A generic secret can be a password, a symmetric key, and so on. You can add, refer to, and delete a generic secret.

Adding a generic secret

1. In the Airlock Console, go to:
   Configuration >> Vault

2. In the tenant drop-down list on top of the navigation tree, select the tenant where you want to add the secret.

3. In the Generic secrets tab, click Add generic secret.
   ▶ A dialog window opens.

4. In the ID field, enter an identifier (maximum 64 characters) for the secret. Allowed characters are letters (A–Z, a–z), digits (0–9), underscores (_), and hyphens (-). The ID must not start with a hyphen and must not contain spaces.

5. (Optional) Enter a description in Description.

6. Enter the secret value in Secret.

7. Click Save.

Referencing a secret in the vault

Secrets stored in Vault can be referenced in an IAM configuration for the selected tenant by using the reference shown in the secret settings.

1. In the Airlock Console, go to:
   Configuration >> Vault

2. In the tenant drop-down list on top of the navigation tree, select the tenant.

3. In the Generic secrets tab, select the secret you want to reference.

4. In the Secret settings section, copy the Reference (e.g., [FILE]/secrets/my-secret) and paste it unchanged into the relevant configuration file or into the IAM Config Editor.
   ⓘ Note that the secret value is not displayed.

Deleting a secret in the vault

1. In the Airlock Console, go to:
   Configuration >> Vault

2. In the tenant drop-down list on top of the navigation tree, select the tenant where you want to delete a secret.

3. In the Generic secrets tab, select the secret you want to delete.

4. In the Secret settings section, click Delete.

5. In the confirmation dialog, confirm the deletion.

Managing key pairs

Besides secrets, the vault may also contain public/private key pairs. You can generate, refer to, and delete key pairs. The private key is generated in the vault; you cannot export it. It is also possible to add a signed certificate to a key pair.

Generating a key pair

1. In the Airlock Console, go to:
   Configuration >> Vault

2. In the tenant drop-down list on top of the navigation tree, select the tenant where you want to add the secret.

3. Select the Key pairs tab.

4. Click Generate key pair.
   ▶ A dialog window opens.

5. In the ID field, enter an identifier (maximum 64 characters) for the secret. Allowed characters are letters (A–Z, a–z), digits (0–9), underscores (_), and hyphens (-). The ID must not start with a hyphen and must not contain spaces.

6. (Optional) Enter a description In the Description field, .

7. In the Algorithm section, select the algorithm to use for generating the key pair.

8. Click Save.

To add a signed certificate to a key pair, see the next section.

Adding a signed certificate to a key pair

1. In the Airlock Console, go to:
   Configuration >> Vault

2. In the tenant drop-down list on top of the navigation tree, select the tenant where you want to add a signed certificate to a key pair.

3. Select the Key pairs tab.

4. Select the key pair you want to update.

5. In the Certificate section, click Create CSR.

6. In the Create certificate signing request dialog window, paste a PEM-encoded template into CSR template.

7. Click Create & download.
   ▶ The CSR is generated and downloaded to your local device as a PEM file.

8. Have a trusted certificate authority sign the CSR.

9. Return to the key pair settings and, in the Certificate section, paste the signed certificate into Signed certificate (PEM format, including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----):

   -----BEGIN CERTIFICATE----- MIIFlTCCA30CFHmER2PUiiOBvF0M2d6kCqVQjWCMMA0GCSqGSIb3DQEBCwUAMIGG MQswCQYDVQQGEwJYWDESMBAGA1UECAwJU3RhdGVOYW1lMREwDwYDVQQHDAhDaXR5 TmFtZTEUMBIGA1UECgwLQ29tcGFueU5hbWUxGzAZBgNVBAsMEkNvbXBhbnlTZWN0 aW9uTmFtZTEdMBsGA1UEAwwUQ29tbW9uTmFtZU9ySG9zdG5hbWUwHhcNMjQxMjEw MTE0NDM3WhcNMjUxMjA1MTE0NDM3WjCBhjELMAkGA1UEBhMCRU4xDTALBgNVBAgM BG5vbmUxDTALBgNVBAcMBG5vbmUxEjAQBgNVBAoMCVdpa2lwZWRpYTENMAsGA1UE CwwEbm9uZTEYMBYGA1UEAwwPKi53aWtpcGVkaWEub3JnMRwwGgYJKoZIhvcNAQkB Fg1ub25lQG5vbmUuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA tsR/RQzqmYf5QUXPWB8WTC/GN1QlcO6D16Er7aah+ZyxasJas29V2uCvw2QLEFdP kMn/X/nMRXhd7NBqhlzdzvzmDzPF3cTsewnGptXPksApLong08vSbh36Ols+n+Gp NcPkWqtElY6GrKcDJwX3pID9NFKJuTAVH+fsXRt8VXDmEkaM7zUkT8453+Ynx+FB YbPmV/5QEc5kav5ypM5y0UR6zZkmEsTjETCmNmRjE4Hn1kdFQBdnE3Ceq8rwqiOx JIIQdsiZkLt7F6jmVZAee8ey1+5oQOssGd1Fq0Z/vLi3IF7HpGWDUl9zFtL1xIAm aSViKv6xugxXNf4F1PY/LOrD2lugRjIT7mYO3LYZ6LHt5+lEHcQpvMK3VlVb3XwP C4Y7ki+p/5RILwi999jIoOaRIWLVdbnLCuCYUCMqjXkhXSwZjfNJC6fk3w2iT0Gt VR2TUGVzyRsBxDmh1j5bwoEju/lnfNK66W4gNRq8uz9haK1kQ1m2ctxSKOBbjv34 kQISe7dMkPv8jk5sQhJS00DdKspR1nWKcyqGmizgbtFHBPPYaJQuBMt2pkldS6o1 56eCmYvAR5R3P1Bv3pMUsOnC3XLNslerILBsiN77OfDqXLoNHXXftegAtYzVWTOo o7EvRJRfkEYZ+Q+oJExY0UoPxZmmGWLgo/sbkmrpxDECAwEAATANBgkqhkiG9w0B AQsFAAOCAgEAcsWnOt9NyKbqmZAmMKEuo9r4hNYOmxfNixmlqBgiWBhqMs1UhH0S jBl2+mcbQkPk8p7UVMFfUgMRRcf/ibwZA4mrKOEB5jb6duvwFszMUnCAByS+uSU9 MlqsPnQIaka4hp2VFRnKbbMk/O/pz2FABw1zgKVyj89zXAlurOVeLBAEwAaJh2Vz MHzrDXfDPZoaFVxhsgF1NLhDycthkhCO4vmxgal0pddtblMtOfaZvFU2WU+akugE pKEE4RGCyYT/hlJsZbrY8aD6H0bSUSW5z3Z3fX+0WaF9z0cx+CsbQUAoTelyHopf Vfqf8j1kE2WzGUqM0xcWKgYQZmtLNYhwX9ZaLP0BRZ1lgvlExhU82Rs7OyqQOkfT JW+LjjtmAB4q9ePe9zNkeEmbFO42KH0Zpq5s5pYCTtvwLPNqOxNqMfg9l2OL2ClH x3C/0RS9nGeA+eO402T7+rU00IllmX9jfsM7GNRummeZKmrJjBkibRsqjWbPiqtQ 7xcTRgEHJZuQg023ud+16loAzvthnhAdMbDrJ7h9tLpZmYNMI3jQIksAYW6lX0ok hTS0Sv7CiPYTbswzygVOOOTTyOwVUOzkMihTRlFXRbGph6y7OB8Rs3bI2EVB3NvF k05k5RlBteCXi+rU0boH2x57iPYXhhR14TJoPSLeYmTedr62orgkmuo= -----END CERTIFICATE-----

   ▶ When you enter the signed certificate, the system validates it and, if the certificate is valid, displays its validity period.

10. Click Save.

Referring to a key pair in the vault

Key pairs stored in Vault can be referenced in an IAM configuration for the selected tenant by using the references to the keystore path and private key alias provided in the key pair settings.

1. In the Airlock Console, go to:
   Configuration >> Vault

2. In the tenant drop-down list on top of the navigation tree, select the tenant

3. Select the Key pairs tab.

4. Select the key pair you want to reference.

5. In the Key pair settings section, under Reference, copy the Keystore file path (e.g., /secrets/keystore.p12) and paste it unchanged into the relevant configuration file or into the IAM Config Editor.

Deleting a key pair in the vault

1. In the Airlock Console, go to:
   Configuration >> Vault

2. In the tenant drop-down list on top of the navigation tree, select the tenant where you want to delete a key pair.

3. Select the Key pairs tab.

4. Select the key pair you want to delete.

5. In the Key pair settings section, click Delete.

6. In the confimation dialog, confirm the deletion.

Default secrets

When you create a tenant, Airlock SaaS automatically generates the following secrets for the tenant:

• IAM_ENCRYPTION_KEY

• IAM_HMAC_KEY

• LOGIN_FROM_NEW_DEVICE_KEY

These secrets are required by the tenant IAM security settings. You can replace them if necessary, but ensure that these secrets are always present. If one of these secrets is missing during configuration activation, the activation will fail.