Introduction
Have the option of enabling an additional security layer to your most sensitive passwords. With Vault, host-proof hosting (or, local-only encryption/decryption) is designed to allow a user to encrypt and decrypt exclusively at the endpoint level in the user’s browser with a user-specific passphrase rather than leaving it to the IT Glue system.
Enabling the Vault allows you to implement an additional layer of security to specific passwords and Organizational quick notes that you deem sensitive. The Vault can help you further protect your data against any malicious intent.
A few important notes regarding Vault:
Vault is not a personal password function, but rather a means for adding another layer of security to your most vital passwords.
A user who has Vault access enabled will be able to use their unique passphrase to view vaulted passwords created by other users. Removing Vault access disables their passphrase.
You will only be able to export vaulted passwords from the Organization’s Password list view. Vaulted quick notes cannot be exported.
Store your user passphrase somewhere safe. We recommend storing it as a password record in IT Glue within your primary organization.
We strongly recommend that you have at least two administrators configured for Vault so that in the case that an IT Glue administrator forgets their passphrase, your vaulted passwords are not lost. Should you be the sole administrator of the Vault and forget your passphrase, there will be no way to recover your access.
At this time, we only support the latest Chrome and the Chromium-based Edge browsers for Vault.
Instructions
Enabling Vault & Setting Your Passphrase
An IT Glue Administrator is required to enable Vault for the IT Glue account. You can grant access to other users following the initial enablement. Note that once Vault is enabled, you will not be able to disable it.
Initial enablement:
Navigate to Account > Settings > Vault tab.
Enter a unique passphrase. This passphrase should be kept secret and will be used for:
Accessing password(s) in the Vault,
Updating password(s) in the Vault,
Granting access to other users with their own individual passphrase to the Vault,
Storing passwords in the Vault, and
Removing passwords from the Vault.
3. Re-enter to confirm your passphrase and click Set Passphrase. Now, all Vault-related functionality will be accessible to you via this unique passphrase.
Important! Store this passphrase somewhere safe. We recommend a password record in IT Glue within your primary organization.
(Optional) Configuring Passphrase Sessions Expiry Time
By default, any action involving a password in the Vault will require the user to enter their passphrase to perform the decryption and encryption on the local browser. To change this behaviour, an administrator can change the duration that the local browser holds onto the user’s passphrase in the “Vault” tab of the Account Settings page. It is important to note that a user’s passphrase never leaves the local browser.
Leaving the duration at the default 0 hours and 0 minutes means that a user will be prompted for their passphrase every time they interact with Vault (i.e. encryption and decryption of passwords). Use the pickers in the hour and minute cells to adjust the values and then click Set Expiry.
When a non-zero input is entered, a user’s passphrase can be entered once and will be retained by the browser for the specified duration. If the user logs out prior to the duration expiring, the passphrase will be discarded from the local browser and the user will be prompted for their passphrase on their next action that interacts with the Vault.
Note: At this time, the passphrase session expiry time only applies to desktop browsers and Chrome Extensions. The mobile app will prompt for a passphrase on every interaction with Vault.
Requesting Access to Vault
Once Vault is enabled on the account by the administrator, a user must first request access to the Vault to view vaulted passwords. Users are to follow the steps below:
Log in to IT Glue.
In the top navigation bar, the user will click on the name of the account and select Vault from the drop-down menu.
Enter a unique passphrase, confirm the passphrase, and click Set Passphrase to complete the setup.
The administrators will receive an email notification of the user's request and can then grant them access within the Vault. Administrators must refer to the next section, "Granting Users Access to the Vault".
Granting Users Access to Vault
Once Vault is enabled on the account and the user requesting access has setup their passphrase, the IT Glue Administrator can grant them access to the Vault.
Important! We strongly recommend that you have at least two administrators configured for Vault so that in the case that an IT Glue administrator forgets their passphrase, your vaulted passwords are not lost. Should you be the sole administrator of the Vault and forget your passphrase, there will be no way to recover your access. In this event, your Vault access can be reset by IT Glue Support but any passwords or quick notes stored in the Vault will be irrecoverable.
Navigate to Account > Settings > Vault tab.
Users who have requested access will appear in the Vault list view. The page displays the following information:
Name - User's first and last name.
Email - Email address of the user.
Access - You will see either a “Grant” or “Revoke” button for each user. "Grant" indicates that this user is requiring access to the Vault. "Revoke" indicates that this user currently has access to the Vault.
Locate the user requesting access in the list view. You can also use the top search bar or filter by Type to narrow your search.
Click the Grant button beside their email address in the Access column.
Revoking User Access to Vault
Administrators can also revoke a user’s access to the Vault in the case there is a departure from the company.
Navigate to Account > Settings > Vault tab.
Locate the user to be revoked in the list view. You can use the top search bar or filter by Type to narrow your search.
Click the Revoke button in the Access column.
Note that if a user can access the Vault and has stored passwords within it, you will need to revoke their access rights before you can delete them post-departure. If you attempt to delete them while they still have access and stored passwords within the Vault, a "User could not be deleted because it has one or more dependent records" error will appear.
Managing Your Passphrase
Once a user is granted access, they can change their passphrase at any given time.
In the top navigation bar, the user will click on the profile icon and select Vault from the drop-down menu. They will be led to a Change Vault Passphrase page.
Users will enter their current passphrase, their new passphrase, and then confirm the new passphrase.
Clicking Set Passphrase confirms the change.
Adding/Removing Passwords to and from the Vault
Navigate to Organization > Passwords. Whether you are editing an existing password or creating a new one, you can add the password to the Vault by checking the Store in Vault checkbox in the Create/Edit view.
To add a password to the Vault, navigate to Organization > Passwords. In the list view, select the password(s) you want to add. Then, click the bulk actions dropdown menu and click “Store in Vault”.
Note: All passwords can be stored in the Vault, including your personal passwords.
To remove a password from the Vault, select it again in the Organization > Passwords list view. Then, click the bulk actions dropdown menu and click “Remove from Vault”.
In all Password list views within IT Glue, vaulted passwords can be identified by the shield icon in the Vault column.
Note: Due to browser-specific constraints, the copy to clipboard function for vaulted passwords is not supported in Firefox or Safari browsers.
Accessing Vaulted Passwords in Chrome Extension
In the below scenarios using the IT Glue Chrome Extension, a user will be prompted to enter their unique passphrase to view the vaulted password:
Viewing the password record and clicking the Show Password button (eye icon).
Viewing the password record and clicking the copy button.
Clicking the password record and landing on the password’s URL page with the password auto-filled.
Visiting a webpage which autofills the username and password.
A user lacking a Vault passphrase will be prompted to set one up in the web application. The vault administrator will then need to grant them access to the Vault.
Accessing Vaulted Passwords in the IT Glue Mobile App
In the below scenarios using the IT Glue or MyGlue Mobile App, a user will be prompted to enter their unique passphrase to view the vaulted password:
Viewing the password record and clicking the Show Password button (eye icon).
Pressing and holding over a password value to copy the password.
Again, a user lacking a Vault passphrase will be prompted to set one up in the web application. The vault administrator will then need to grant them access to the Vault.
A note on searching for passwords
If your IT Glue administrator has set up a Password Access Workflow, please note that clicking the Show password button or the Copy to clipboard icon on a password’s search result will trigger a notification indicating that you have viewed or copied the password in question. Also, depending on the filters set by your Administrator, clicking Show Password or the Copy to clipboard icon will also trigger a notification.
A note on exporting
We currently do not allow the ability to export vaulted passwords via Runbooks, single-asset PDF exports, nor the Account export features. This is to ensure that all vaulted passwords are not left vulnerable to parties that are not granted Vault access. Any vaulted quick notes will also not be included in exports.
Vaulted passwords cannot be exported via Runbooks, single-asset PDF exports, or Account Export due to the nature of the action. When a runbook or export is prepared, this action happens in the background where vault decryption cannot happen which would mean storing a user's passphrase somewhere other than the local device.
Exporting via an Organization’s Password list view is still possible for vaulted passwords. Such an export will require the user’s unique passphrase which will be stored in the local browser until the exported .CSV file is produced.