Vaults are essential components for the security of your credentials. To automate logging into websites, send and receive emails in your flows, or use external APIs you need some credentials.
Do NOT embed your credentials into your Flows in clear text, either in Function nodes or hard-coded into the node properties.
They are NOT kept encrypted if you use your credentials this way. And if you happen to share your flows with someone, by accident you will also share your credentials.
Always use Vaults for your credentials!
Vaults keep your credentials in a secure way that no one can see or reach but you. The security is carried by two components:
- with something you know: Password
- with something you have: Vault Secret Key
Only with these two components, your credentials can be decrypted. The password is to your workspace password and this is known by you, if anyone sees your password they won't be able to reach your Vault items because they don't have your Secret Key.
We also do not have your Secret Key only you have it. Every time you create a vault inside the Flow Designer, you will also be generating a new Secret Key for that vault.
If you lose your Vault Secret Key, we can not retrieve the items inside your vault. You have to delete that Vault and create a new one.
For managing and using your vaults you can check this guide.
Your robot also has to have your Vault Secret Key to get and decrypt your credentials and use them within your automations. Because the robot could be installed and running somewhere on a remote machine, there should be some way to setup your Vault Secret Key on the robot machine.
Inject Vault Secret
There is a secure way to set up the Vault Secret on the remote machine where the robot is running and that is the Inject Vault Secret option in Admin Console.
Even the injection uses an RSA key pair to keep the security of your Vault Secret Key. Admin Console uses the public key of your robot to encrypt the injected key on the client side and only the robot on the remote machine can decrypt this encrypted Vault Secret.