Secret Checkout

Secret Checkout is a virtual protocol for establishing an access session to the account secret. Checkout function allows user to temporarily take a secret from a secret vault. Then, the user informs Fudo that the secret is no longer needed by returning it to the secret vault with a Checkin operation.


Note

The protocol is virtual in a sense that there is no TCP/IP session related to it, only meta information is stored (for example checkout time, checkin time, who accessed the secret). As there is no TCP/IP, no data that can be played are saved. This makes checkout sessions lightweight compared to sessions recorded with data, such as RDP.

In case of a breach, having secret checkouts recorded as sessions, allows one to pinpoint who had access to the leaked secret.

A request for a secret checkout is sent by a user via the User Portal. The request can be approved or declined by an administrator if a given safe is set to require approval. The user can see and copy the password anytime during the session, which counts active till the password is returned or the password’s valid time is over.


The secret can be returned automatically after the given period of time or returned manually by the user via the User Portal. More on how to configure a timeout for automatic return of the password is at Creating a safe page under Users tab section and at Creating an account with regular type page under Credentials section.

When a checkout timeout is configured for an account with an ongoing checkout session, the other user can checkout the secret, too . In this situation the user has to confirm the operation by forcing checkout. This way the user can use soft exclusiveness of the checkout operation.


After return, the secret can be automatically changed to a new one, generated in accordance with the specified Password Change Policy for a particular account.


Notes: