Data encryption in the local IBM RPA Vault

The IBM RPA Vault component is responsible for the configuration and encryption of credentials. It has two modes: local or user vault and systemic vault. This section details the data encryption in the local vault.

The local vault generates a pair of public and private keys based on your vault password. The public key is stored as a string literal in the database, and the private key is heavily encrypted by IBM RPA's encryption subsystem. You define the vault password in IBM RPA Vault.

Note:IBM RPA doesn't store the vault password. If forgotten, there is no way to recover the registered credentials. You must redefine the vault password and all the credentials.

In the local vault, IBM RPA's database server stores data with enabled auditing at the database instance level, a resource available since Microsoft SQL Server 2014. The Bot Agent, IBM RPA's local service, authenticates the IBM RPA Vault's requests through a proprietary method that combines encryption techniques, including the use of one-time pads (OTP). After the authentication, the Bot Agent encrypts data with recursive routines by using various asymmetric key pairs with variable length, including 2048 bits. This encrypted data is stored in the database through a request to the application servers. The data in transit is encrypted.

OTPs are theoretically secure information since encrypted messages do not provide any information about the original message to a cryptanalyst except its maximum size.

Data at rest

IBM RPA’s database server stores both the public and private keys. The public key is a string literal, and the private key is stored as the result of IBM RPA's encryption subsystem. Both keys are generated based on the vault password.

Data in use

To protect the local vault credentials, the Bot Runtime running the bot requests them to the Bot Agent when needed. The Bot Agent then makes another request to the IBM RPA Vault system, which prompts you to open the IBM RPA Vault if it is closed, and returns the encrypted password to the Bot Agent.

With the encrypted vault password, the Bot Agent requests the public and private keys to the IBM RPA's API. With the keys, the Bot Agent decrypts the vault password and gets the credential.

In your script, you store credentials in a special protected variable type. You can use this variable type in certain commands, and you can't see its content.

Data in transit

The data traffic between the IBM RPA server and the IBM RPA Vault is encrypted by using polymorphic algorithms, employing various secure encryption algorithms and OTP.

Data in-memory

To protect credentials, the Bot Agent and the IBM RPA Vault interface both use the Windows Data Protection resource to secure confidential memory locations. For more information on Windows Data Protection, see the Microsoft documentation.