Secret Manager (Decommissioned on August 15th, 2023)
IMPORTANT - As of August 15th, 2023, Secret Manager has been decommissioned. Please use onetimesecret.com to share secrets such as account passwords or BitLocker secret keys.
CCS service to communicate secrets
The CCS Secret Manager service provides a secure way to share secrets such as account passwords or BitLocker secret keys. The secrets are shared via a secure link rather than by value as plain text. Each secret can be retrieved only once - it is deleted from the database as soon as it is read or within 7 days whichever comes first. Therefore, if you can retrieve the secret that was sent to you then nobody else intercepted it. The secrets are encrypted in transit and at rest and optionally can be encrypted in use as well.
The Secret Manager is currently used by the CCS to communicate the following secrets:
- central login account passwords, for example, after a password reset has been requested
- BitLocker keys
- door security codes
- various application tokens and secret keys
The sender will often be a CCS staff member or a Help Center / Help Desk agent. The recipients can be University of Guelph students, staff, and faculty or third parties such as visiting researchers, contractors, or partnered organizations.
Various layers of encryption are used to protect the secret. When the secret is registered with the Secret Manager, it is first encrypted with a key that CCS manages and then saved in a key-value store which uses a platform-managed key to encrypt the secret at rest. When the secret is retrieved by the recipient via the link received from the sender, the communication is encrypted with TLS - a standard web protocol. Additionally, the secret can be encrypted before it is sent to the database with a passphrase known only to the sender. The sender will then communicate the passphrase to the recipient either directly or via a trusted third party.
The secrets are retrieved via a CCS-managed service at https://secret-manager.identity.uoguelph.ca. If you receive an unsolicited email with such link then please do not visit such link as various phishing or malware sites may try to trick you into clicking on a dangerous link..
In most cases, you will initiate the process, for example, by contacting the Help Center with the request for a password reset. The Help Center agent will register the new password with the Secret Manager and inform you when and how the link is being communicated to you. Once you retrieve the secret, it will be deleted from the Secret Manager database and cannot be retrieved again. Please store the secret securely, preferably in a Password Manager. For additional information, visit Information Security's guide to password managers.
If the retrieval of the secret fails with the error message "No secret found" then it means the secret has been retrieved already or the secret expired (presently the expiration is set to 7 days). If this was the first time you tried to retrieve the secret then contact the Sender and ask them to reset the secret and send it to you again. Similarly, if the secret was protected by an additional passphrase and you happen to mistype the passphrase while retrieving the secret you will need to ask to have the secret resent.