Policies are User- and Group-based controls (local or IdP-based groups) that govern how secrets that match a domain are to be configured. They can be used to group a set of domains (e.g. wellsfargo.com, chase.com, and quickbooks.com) and assign a group or user to each, assigning custom policies to how each is handled.
The actual policies are traditional password policies and Secret Chest-specific policies around shard management. Policies can be enabled and disabled (disabled policies are useful for testing or keeping something for later). Policy logic will be applied in the app and in the web app. For future-proofing, policies may eventually be location-aware (e.g. where they were physically used). This can be a privacy issue, so can be disabled - but will require a map entitlement).
Policies are configured from the Secret Chest web app. To create policies:
Open app.secretchest.io and click on Policies in the sidebar.
At the list of policies, select a policy to edit or click on the New button.
At the policies screen, provide a name for the policy in the Name field.
Click in the Domains field and enter a list of domains, seperated by a comma (if a sub-domain is not entered then all sub-domains will be included, no wildcards are required).
Check the box for the options. These are as follows:
Require Multi-Peer: Requires all secrets for that domain to be a multi-peer secret.
Minimum Shards to Unlock: Requires an integer be entered for the number of shards (or devices that will host a shard) for a secret to be unlocked). Assumes n+1 number of devices be in the shard map.
Allow PIN to unlock: Because the TPM (or Secure Enclave in the Apple-verse) can be bypassed with a PIN, unchecking will disable the PIN option and require a biometric check. Useful for passkeys when a laptop is in clamshell mode.
Block cloud shard: Disables escrowing any shards to the Secret Chest cloud service.
Require numbers and letters: For password objects, requires the password itself to have numbers and letters.
Require special characters: For password objects, requires the password itself to have at least one special character (e.g. !@#$%^&*).
Block descending and ascending: For password objects, requires the password itself to have no repeating, descending, or ascending characters for more than 3 characters in a row (e.g. 123, abc, 111).
Block external sharing: Disables the ability to share a secret to an external user. This is also a global policy option.
Click Submit to save the policy.
Comments