A Burnt Secret is a secure way to store credentials and designate them as non-retrievable by any user. This article provides an overview of the Burnt secret storage method and instructions on how to configure and filter non-retrievable credentials within your vault.

When a Secret is set to Burnt, the plain-text password can never be viewed or retrieved after the record is saved. However, the appliance can still utilize these credentials to perform automated discovery jobs. This provides a high level of security by ensuring that even users with access to the vault cannot see the underlying password.

Caution: If a Burnt Secret is forgotten, it cannot be recovered. It must be reset and regenerated at the target source and updated in the vault. Do not use this storage method if you anticipate needing to retrieve the password for manual use in the future.

Store a Burnt Secret

Creating a Burnt Secret follows the same basic workflow as a normal secret, with one specific configuration change in the details form.

1. Navigate to Resources > All Secrets and click Create (or Add Secret).

2. Fill in the required fields:

   • Username: The name used to identify the account (e.g., "telnet" or a specific admin ID).

   • Label: A descriptive label for the account.

   • Workspace: Assign the secret to a specific workspace (e.g., "IT").

   • Password: Enter the sensitive credential.

3. Locate the Password Storage dropdown menu.

4. Select Burnt (the default is "Normal").

5. Click Save.

Once saved, the password field will be obscured and retrieval will be disabled.

View and filter Burnt Secrets

You can easily identify which credentials in your vault are stored using the Burnt method.

1. Navigate to the Secrets list page under Resources > All Secrets.

2. Select the Password Storage filter from the sidebar or filter menu.

3. Choose Burnt to refresh the list and view only non-retrievable secrets.

Detail fields

The following fields are visible when adding or editing a secret in the vault: