PasswordLab Master Vault Locking Guide

Locking the master vault is a critical security feature in PasswordLab, allowing administrators to immediately cut off all access to sensitive data. This guide explains when and how to lock the master vault, what happens during the process, and best practices for secure operations.

What is the Master Vault Lock?

The master vault lock is a security mechanism that:

• Instantly revokes all user sessions and API connections
• Prevents any access to stored credentials and secrets
• Requires the vault to be unlocked (with master key pieces) before access is restored

The vault automatically locks when the server is rebooted or the PasswordLab service is restarted. However, administrators can also manually lock the vault at any time.

When Should You Lock the Master Vault?

• Emergency situations (e.g., suspected breach, insider threat, or compromised device)
• Planned maintenance (e.g., before server upgrades or migrations)
• Policy enforcement (e.g., at the end of a business day or during audits)
• Any time you want to ensure zero access to all stored secrets

How to Lock the Master Vault (Step-by-Step)

1. Log in as Administrator

• Open the PasswordLab web app in your browser
• Log in using your administrator credentials

2. Navigate to Vault Management

• Click on the Settings menu
• Select Manage Vault from the options

3. Initiate the Lock

• Locate the Lock Master Vault button (usually a prominent blue button)
• Read the caution messages carefully:
  • Locking the vault will immediately disconnect all users, including yourself
  • No one will be able to access any credentials until the vault is unlocked

4. Confirm the Action

• Click the Lock Master Vault button
• A confirmation dialog will appear
• Click Yes, Lock the Vault to proceed

5. Session Termination

• Your session and all other active sessions will be instantly terminated
• You will be redirected to the vault unlock screen
• All users will see the vault locked state and cannot log in until it is unlocked

What Happens When the Vault is Locked?

• All sessions are invalidated: No user or API can access any data
• Immediate effect: The lock is enforced instantly, regardless of user activity
• Unlock required: Only by providing the required number of master key pieces can the vault be unlocked

Unlocking the Vault

• To regain access, follow the unlocking process (see the Unlocking the Master Vault guide)
• You will need at least the minimum required number of master key pieces (e.g., 3 out of 5)

Best Practices

• Communicate: Notify users before locking the vault during planned events
• Use for emergencies: Lock the vault immediately if you suspect a security incident
• Test the process: Periodically test locking and unlocking to ensure all administrators are familiar with the procedure
• Keep key holders informed: Ensure those with master key pieces are available when needed

Troubleshooting

• Cannot access the vault after locking?
  • Ensure you have the required number of valid master key pieces
  • Contact other key holders if you do not have enough pieces
• Accidentally locked the vault?
  • Follow the unlock process with the required key pieces
• Lost key pieces?
  • Without the minimum required key pieces, the vault cannot be unlocked. Always keep key pieces secure and accessible.

By following this guide, you can confidently use the master vault lock feature to protect your organization's sensitive data in PasswordLab.