SFT keyring

If you enable the SFT keyring, all plaintext tokens in the state.json file are encrypted using the default system keyring. Once the SFT keyring is established on a system, it's automatically updated when the user signs in to Okta Privileged Access or attempts to access a server.

After the SFT keyring is activated, it can't be reversed. You can use the noop keyring for any operating system that doesn't offer encryption. To change to the noop keyring, users need to re-enroll and relogin.

Before you begin

SFT keyring encrypts access tokens. If the keys used to decrypt the tokens are unavailable, decryption is impossible. This prevents unauthorized data exfiltration.
SFT keyring on Linux uses D-Bus to connect to a desktop-specific SecretService and proactively secures access tokens. If sft can't reach an unlocked SecretService, it can't decrypt those tokens. This may result in being locked out of your tokens while in non-desktop mode if you use Linux on both desktop and non-desktop. To avoid this, use the insecure noop keyring:
1. Set SFT_KEYRING to noop in your shell initialization scripts.
2. Re-enroll. See Enroll the Okta Privileged Access client.

Default keyring

SFT keyring must be configured on every device. The operating system comes with a default keyring, and it determines the most suitable one to use. By using the system variable in the configuration, the operating system automatically selects the optimal keyring for use.

macOS

SFT keyring encrypts by default on macOS. You can set the keyring using the User Defaults framework:

$ defaults write com.scaleft.ScaleFT SFTKeyring system

Alternatively, you can enable it by setting an environment variable:

export SFT_KEYRING=system

If both are set, the environment variable takes precedence.

To disable encryption, use noop instead of system in the environment variable, and then re-enroll in the team.

Windows

SFT keyring encrypts by default on Windows. You can set the keyring using the registry:

HKEY_LOCAL_MACHINE\Software\ScaleFT\SFT\Keyring

HKEY_CURRENT_USER\Software\ScaleFT\SFT\Keyring

Alternatively, you can set the keyring using the SFT_KEYRING environment variable.

HKEY_LOCAL_MACHINE takes precedence over both the environment variable and CURRENT_USER entry. The environment variable takes precedence over the CURRENT_USER entry.

To disable encryption, set the registry key to noop instead of system, and then re-enroll in the team.

Linux

In Linux, keyrings only work in a D-Bus desktop environment and the default encryption method is system.

To set or update the SFT_KEYRING environment variable to the system, add the following to the shell profile: