1Open Secrets Hub

Navigation

Administration β†’ Secrets β†’ Secrets Hub (/secrets-hub)

Navigate to /secrets-hub. On first visit a welcome screen describes the Vault connection and available mount points. The main layout has a left sidebar with the mount point and path tree, and a right panel that shows the secret list for the selected path or the detail for a selected secret.

πŸ’‘
Vault-backed, not personal

Secrets Hub connects to your organisation's HashiCorp Vault instance (or compatible backend). Secrets created here are stored in Vault, not in EmpowerNow's database. Access is controlled by both EmpowerNow permissions and Vault policies.

2Browse Vault paths

Left sidebar

Expand mount points to navigate the path tree

experience.your-tenant.empowernow.ai/secrets-hub
Mount Points
β–Ό secret/
πŸ“ apps/
πŸ“ apps/backend/ ←
πŸ“ infra/
β–Ά kv/
secret/apps/backend/
KeyLast ModifiedVersionActions
DATABASE_PASSWORD2d agov4
ViewRotate
API_SECRET_KEY14d agov2
View⚠ Rotate

Click a mount point to expand it and reveal sub-paths. Click a path folder to load its secrets in the right panel. The breadcrumb at the top of the right panel shows the current path. The URL updates to reflect the selected path, so you can bookmark frequently accessed paths.

3Read a secret value

View secret

Click a secret row to open its detail β€” value is masked by default

Clicking a secret row opens its detail panel on the right (or a full-width panel). The value is shown as β€’β€’β€’β€’β€’β€’β€’β€’β€’β€’ by default. Click the πŸ‘ Reveal button or eye icon to show the actual value. The reveal action is logged in the audit trail.

Detail panel elementWhat it shows
Value (masked)Placeholder dots until revealed. Toggle with eye icon.
Copy buttonCopies the value to clipboard without revealing it on screen. Shows "Copied!" for 2s.
VersionCurrent version number (KV v2 keeps history). "Show History" expands previous versions.
Last ModifiedTimestamp of last write and the identity that wrote it.
Rotation indicatorAmber warning if the secret exceeds the rotation policy age threshold.
⚠️
Read access is audited

Every reveal action is logged with the user identity, timestamp, and secret path. These logs appear in the Security Dashboard's access events section and can be exported for compliance audits.

4Create a secret

New secret

Navigate to the target path, then click + New Secret

Browse to the path where you want to create the secret. Click + New Secret in the right panel. A form appears:

FieldNotes
Key NameUnique within the path. Conventionally uppercase with underscores (API_SECRET_KEY). No slashes.
Secret ValueThe sensitive value. Stored encrypted in Vault. Not stored in EmpowerNow's database.
DescriptionHuman-readable purpose. Stored as metadata. Helps future maintainers understand the secret's role.

5Update & rotate

Update

Click Edit in the secret detail to update the value

Click Edit on the secret detail panel. The value field becomes editable. Update the value and click Save. This creates a new version in Vault KV v2. The previous version is preserved and accessible via "Show History".

Rotate

Use Rotate for scheduled secret rotation

Click Rotate on a secret row or the detail panel. The Rotate flow prompts for the new value (optionally generates a cryptographically random value with the Generate Random button). Saving creates version N+1. The amber rotation-overdue indicator clears after a successful rotation.

βœ…
Rotation workflow best practice

1. Generate a new value. 2. Update the consuming application's config to use the new value. 3. Verify the application works with the new value. 4. Then rotate in EmpowerNow. This avoids downtime during rotation.

6Security Dashboard

Dashboard tab

Click Security Dashboard in the Secrets Hub navigation

The Security Dashboard gives a compliance overview of your entire secret store. It shows:

Dashboard sectionWhat it shows
Total secrets countCount of all secrets across all mount points accessible to your account
Secrets by mountBreakdown of secret count per Vault mount point
Rotation overdueSecrets older than the rotation policy threshold, highlighted in amber. Click to navigate directly to the secret
Recent access eventsWho read which secret, when. Searchable and exportable as CSV
Anomaly alertsUnusual access patterns flagged by the risk engine (e.g. bulk reads, access from new location)
βœ…
Use for compliance audits

Export the access events CSV before quarterly reviews to demonstrate controlled access to secret values. The export includes user identity, secret path, action (read/write/rotate), and timestamp.

7Delete a secret

Delete options

Two deletion modes β€” soft and permanent

In the secret detail panel, click Delete to open the delete dialog. Two options are presented:

OptionWhat happensRecoverable?
Soft DeleteMarks the secret as deleted in Vault. The secret no longer appears in the list but the data is preserved in Vault's deleted versions. Can be undeleted.Yes β€” via Vault CLI or "Undelete" button
Permanently DestroyDestroys all versions of the secret in Vault KV v2. The key is removed entirely. This operation is irreversible.No

For Permanently Destroy, a confirmation input asks you to type the exact key name before proceeding. This prevents accidental destruction.

🚨
Production impact

Destroying a secret that is actively used by a running application will cause that application to fail on its next attempt to read the secret. Always verify which applications depend on the secret before destroying it, and ensure they have been updated to use a replacement secret or have been decommissioned.

Related guides

πŸ“ My Secrets 🀝 Secret Sharing