Data encryption in the systemic IBM RPA Vault

The IBM RPA Vault component is responsible for the configuration and encryption of credentials. It has two modes: local or user vault and systemic vault. This section details the data encryption in the systemic vault.

When you use the systemic vault, you need to provide a public key for data encryption. The Bot Runtime searches for the private key in the host computer to decrypt data. You configure both keys in the IBM RPA Control Center. You also need to generate both keys.

The Bot Runtime is the sandbox environment that runs bots on a computer. It gets the encrypted credential from the IBM RPA server, and decrypts it locally using the private key that is configured in IBM RPA Control Center. The private key must be in the local computer.

Data at rest

In the system vault, the security measures to protect the private key is the responsibility of the security systems of the organization that employs the key. The public key is stored as a string literal in the IBM RPA database server.

Data in use

To protect the credentials, the Bot Runtime requests them IBM RPA's API to get the encrypted credentials and the private key path. With the private key, the Bot Runtime decrypts the credentials.

In your script, you store credentials in a special protected variable type. You can use this variable type only in certain commands, and you can't see its content.

Data in transit

The data traffic between the IBM RPA server and the IBM RPA Vault is encrypted by using polymorphic algorithms, employing various secure encryption algorithms and OTP.

Data in-memory

To protect credentials, the Bot Runtime and the IBM RPA Vault interface both use the Windows Data Protection resource to secure confidential memory locations. For more information on Windows Data Protection, see the Microsoft documentation.