Vault
The Xill4 Vault allows you to store sensitive data securely. It works by storing variables in an encrypted way and then encrypting the variables with a password.
You can change secrets at any time, even when flows are actively processing messages, but beware that this might change the outcome of the flow and should not be done in a production scenario.
Creating a vault
To create the Vault, click the vault icon in the toolbar. A prompt will pop up to provide a password. Each project has its own dedicated vault. This also means you will need to create a new vault for each new project and store the required secrets.
Minimum password length is 8 characters.
Creating secrets in the vault
When the vault is created a window will pop up with an empty vault. The encrypted data of the vault will be saved in the vault file provided with the environmental variable XILL4_VAULT_PATH
, or in ./vault.json
by default. Vault secrets can be created just like flow variables, the only difference being that the secret itself will not be shown. Note that secrets are only saved in the vault when the submit button is clicked and the password for the vault is provided again.
Updating secrets
Clicking the vault icon again will bring you back to the vault editor. When clicking a secret name, a new value for the secret can be provided. Once again, secrets are only saved in the vault when the submit button is clicked and the password for the vault is provided again.
Using the vault
In the Project and Flow overview, you will see the Vault icon (red lock symbol) at the top navigation bar. By clicking this button you will be prompted to enter a password. Once you've entered the right password you will see that the icon has changed into an unlocked state. This means that the vault is now unlocked and you can use it to retrieve sensitive data.
To retrieve a variable from the vault, you can use the variable syntax (%variableName%
) prefixed with vault.
. For example, if you have a variable called myVariable
in the vault, you can use the syntax %vault.myVariable%
to retrieve it.
Locking the vault
In case you want to lock the Vault, you can simply click the Vault icon in the Project overview. This will lock the vault and you will no longer be able to retrieve sensitive data.
If you are running flows, you might be able to see variables being interpreted as ***VAULT_LOCKED***
.
This is an indicator that the Vault is locked.
Reading secrets from the vault
For security reasons, reading secrets is not possible from within the Vault Editor. To read a secret, you need to use the Vault Console and have access to vault.json
.
Protocol
By default, we use OpenSSL to encrypt secrets. More information on this standard can be found here.
This implementation was chosen as it is a proven solution, widely used and implemented on almost any device.