Last updated: 2026-03-31

Source: https://support.freshservice.com/support/solutions/articles/50000012115-master-password-and-secret-operations

Secrets are objects used to store credentials and related information, typically for the use of authentication during discovery.

To maintain a high security posture, you must initialize the vault with a master passphrase before creating your first record. This passphrase is used to encrypt all stored passwords. If you migrate your data to a new appliance via backup and restore, this passphrase is required to decrypt and view your secrets.

Create a master passphrase

You must perform this one-time setup before adding any credentials to the system.

1. Navigate to Tools > Settings > Password Security.

2. Enter a passphrase between 12 and 32 characters in length.

3. Save the passphrase in a secure, external location.

Add a new secret

You can create secrets from the main menu or directly within discovery job configuration pages.

1. Navigate to Resources > Secrets > All Secrets and click Create.

2. Fill in the following identification fields:

- Username: Required for identification and searching.

- Label: An optional descriptive name to differentiate between similar accounts.

- Category: Group the secret by type (e.g., Windows, Network, Database).

- Devices/Application Components: Optionally link the secret to specific assets for centralized management. 3. Configure the credential details:

- Password Storage: Choose Normal (retrievable) or Burnt (non-retrievable).

- Key File: Upload a private key if the secret uses key-based authentication.

- \# Days Before Expiration: Define a rotation window. 4. Click Save.

Generate a secure password

If you are creating a new account, you can use the built-in generator to ensure high entropy.

1. Click Generate Password at the top right of the Add Secret page.

2. Click Use to insert the string or Generate Other for a new option.

3. To change the default complexity (case, numbers, special characters), visit Tools > Settings > Global Settings.

Assign permissions

At least one user or group must be granted permission to view and edit the secret to prevent it from becoming inaccessible.

  • View Users/Groups: Can see the secret details.
  • Use Only Users/Groups: Can utilize the secret for discovery but cannot view the plain-text password.
  • View Edit Users/Groups: Full administrative control, including deletion.

    • \[!NOTE\] If these fields are left empty during creation, the system automatically assigns View Edit permissions to the logged-in user who created the record.

    View and search secrets

    Access your stored credentials through the centralized vault list.

    1. Navigate to Resources > Secrets > All Secrets.

    2. Use the search bar to find secrets by username, label, device name, or notes.

    3. Displaying Passwords: By default, passwords are obscured. Click the blue eye icon to reveal the password or the copy icon to add it to your clipboard.

    4. Modifying Records: Click the Username to view the details, then click Edit to reach the change password page.

    Important security notes

  • Search Limitations: The global search bar does not return matches for the passwords themselves; you must perform searches within the All Secrets list page.
  • Audit Trail: All additions, edits, and view operations are logged to ensure administrative accountability.