1Open Secrets Hub
Administration β Secrets β Secrets Hub (/secrets-hub)
Navigate to /secrets-hub. On first visit a welcome screen describes the Vault connection and available mount points. The main layout has a left sidebar with the mount point and path tree, and a right panel that shows the secret list for the selected path or the detail for a selected secret.
Secrets Hub connects to your organisation's HashiCorp Vault instance (or compatible backend). Secrets created here are stored in Vault, not in EmpowerNow's database. Access is controlled by both EmpowerNow permissions and Vault policies.
2Browse Vault paths
Expand mount points to navigate the path tree
| Key | Last Modified | Version | Actions |
|---|---|---|---|
| DATABASE_PASSWORD | 2d ago | v4 | ViewRotate |
| API_SECRET_KEY | 14d ago | v2 | Viewβ Rotate |
Click a mount point to expand it and reveal sub-paths. Click a path folder to load its secrets in the right panel. The breadcrumb at the top of the right panel shows the current path. The URL updates to reflect the selected path, so you can bookmark frequently accessed paths.
3Read a secret value
Click a secret row to open its detail β value is masked by default
Clicking a secret row opens its detail panel on the right (or a full-width panel). The value is shown as β’β’β’β’β’β’β’β’β’β’ by default. Click the π Reveal button or eye icon to show the actual value. The reveal action is logged in the audit trail.
| Detail panel element | What it shows |
|---|---|
| Value (masked) | Placeholder dots until revealed. Toggle with eye icon. |
| Copy button | Copies the value to clipboard without revealing it on screen. Shows "Copied!" for 2s. |
| Version | Current version number (KV v2 keeps history). "Show History" expands previous versions. |
| Last Modified | Timestamp of last write and the identity that wrote it. |
| Rotation indicator | Amber warning if the secret exceeds the rotation policy age threshold. |
Every reveal action is logged with the user identity, timestamp, and secret path. These logs appear in the Security Dashboard's access events section and can be exported for compliance audits.
4Create a secret
Navigate to the target path, then click + New Secret
Browse to the path where you want to create the secret. Click + New Secret in the right panel. A form appears:
| Field | Notes |
|---|---|
| Key Name | Unique within the path. Conventionally uppercase with underscores (API_SECRET_KEY). No slashes. |
| Secret Value | The sensitive value. Stored encrypted in Vault. Not stored in EmpowerNow's database. |
| Description | Human-readable purpose. Stored as metadata. Helps future maintainers understand the secret's role. |
5Update & rotate
Click Edit in the secret detail to update the value
Click Edit on the secret detail panel. The value field becomes editable. Update the value and click Save. This creates a new version in Vault KV v2. The previous version is preserved and accessible via "Show History".
Use Rotate for scheduled secret rotation
Click Rotate on a secret row or the detail panel. The Rotate flow prompts for the new value (optionally generates a cryptographically random value with the Generate Random button). Saving creates version N+1. The amber rotation-overdue indicator clears after a successful rotation.
1. Generate a new value. 2. Update the consuming application's config to use the new value. 3. Verify the application works with the new value. 4. Then rotate in EmpowerNow. This avoids downtime during rotation.
6Security Dashboard
Click Security Dashboard in the Secrets Hub navigation
The Security Dashboard gives a compliance overview of your entire secret store. It shows:
| Dashboard section | What it shows |
|---|---|
| Total secrets count | Count of all secrets across all mount points accessible to your account |
| Secrets by mount | Breakdown of secret count per Vault mount point |
| Rotation overdue | Secrets older than the rotation policy threshold, highlighted in amber. Click to navigate directly to the secret |
| Recent access events | Who read which secret, when. Searchable and exportable as CSV |
| Anomaly alerts | Unusual access patterns flagged by the risk engine (e.g. bulk reads, access from new location) |
Export the access events CSV before quarterly reviews to demonstrate controlled access to secret values. The export includes user identity, secret path, action (read/write/rotate), and timestamp.
7Delete a secret
Two deletion modes β soft and permanent
In the secret detail panel, click Delete to open the delete dialog. Two options are presented:
| Option | What happens | Recoverable? |
|---|---|---|
| Soft Delete | Marks the secret as deleted in Vault. The secret no longer appears in the list but the data is preserved in Vault's deleted versions. Can be undeleted. | Yes β via Vault CLI or "Undelete" button |
| Permanently Destroy | Destroys all versions of the secret in Vault KV v2. The key is removed entirely. This operation is irreversible. | No |
For Permanently Destroy, a confirmation input asks you to type the exact key name before proceeding. This prevents accidental destruction.
Destroying a secret that is actively used by a running application will cause that application to fail on its next attempt to read the secret. Always verify which applications depend on the secret before destroying it, and ensure they have been updated to use a replacement secret or have been decommissioned.