EFS (Encrypting File System) is a Microsoft technology that allows a
user to encrypt files with his passwords. This means that only the user
who encrypted the file will be able to access it, even if it is assigned
to other users. If an administrator resets the password on this
account, and the account does not change it's own password, than the
file will not be recoverable.
You can use EFS to protect your Secret Server encryption key. This will
allow only a single service account to access the file, and no other
user will be able to read the key unless they know the service account
password. Below are the steps for encrypting your encryption.config file
with EFS.
- Backup your encryption.config file to a secure location. This is
very important for DR recovery purposes. If you lose access to your
service account or the server fails, then you will not be able to
recover your secrets without a backup of this file.
- Create a new service account or select an existing one. The
service account should initially have privileges to log in to a
computer.
- If you have already installed Secret Server and are using
Windows Authentication for database access, make sure the Service
Account has access to the database.
- Run the Secret Server application pool as this service account. More details can be found at the following KB article:
- http://support.thycotic.com/KB/a94/running-secret-server-iis-application-pool-with-service.aspx
- Give the service account full access to your Secret Server
directory through Windows Explorer if it does not have access already.
- Log in to your server as the service account.
- Locate the encryption.config file in your Secret Server directory.
- Right click on this file and click properties.
- Click the "Advanced..." button on the general tab.
- Check the "Encrypt contents to secure data" check box.
- Click "OK" and then "Apply". Select the "Encrypt the file only" option if prompted and click "OK".
- Log out of Windows and log back in as an administrator. Confirm
that the application still works by performing an IIS Reset
(start->run->cmd->IISReset) or recycling the application pool.
Then, make sure you can still log in and view your secrets.
Article ID: 107, Created On: 9/29/2010, Modified: 9/29/2010