Skip to main content

Password Vault

The password vault provides HSM-backed encrypted credential storage for your client environments. Every password is encrypted with AES-256-GCM using per-record data encryption keys wrapped by an HSM-backed master key that never leaves the hardware security module.

Security Model

CMDB uses envelope encryption with two layers:

LayerWhat It IsWhere It Lives
KEK (Key Encryption Key)RSA-HSM 4096-bit master keyAzure Key Vault Premium HSM — never exported
DEK (Data Encryption Key)AES-256-GCM per-password keyWrapped (encrypted) by KEK, stored alongside the ciphertext in Cosmos DB

What Gets Encrypted

Each password record encrypts four fields: password, username, URL, and notes. These fields are never stored in plaintext and are never included in list view API responses.

Revealing a Password

To see the actual value of an encrypted field, you must check out the password first, then reveal it. Both actions are audit-logged with your user identity, IP address, and timestamp.

⚠️Anomaly Detection:

If a user reveals more than 20 passwords in one hour, CMDB triggers an anomaly alert. Rate limits enforce a maximum of 10 reveals per minute per user and 50 reveals per minute per tenant.

Password Categories

CategoryUse For
ServerLocal admin, root, service accounts
NetworkSwitch, router, firewall, access point credentials
CloudAWS, Azure, GCP console and API credentials
ApplicationLine-of-business app admin accounts
DatabaseDatabase connection strings and admin credentials
CertificateCertificate passphrases and private key passwords
OtherAnything that doesn't fit the above categories

Creating a Password

  1. Navigate to Password Vault in the sidebar
  2. Click New Password
  3. Fill in the fields:
    • Name — descriptive label (e.g., "DC01 Local Admin")
    • Category — select from the categories above
    • Company — the client this credential belongs to
    • CI — optionally link to a specific configuration item
    • Username — the account username
    • Password — the credential value (encrypted immediately on save)
    • URL — login URL for quick access
    • Notes — additional context (encrypted)
    • Tags — searchable tags
  4. Optionally configure a Rotation Policy (see below)
  5. Click Save

Checkout and Reveal

The checkout system prevents concurrent access and creates a clear audit trail.

Checking Out a Password

  1. Open the password record
  2. Click Check Out
  3. Select a Duration: 15 minutes, 30 minutes, 60 minutes, or 8 hours (default)
  4. The password is now checked out to you — no other user can check it out until you release it

Revealing the Value

  1. While a password is checked out to you, click Reveal
  2. The decrypted value displays temporarily
  3. Copy the value and use it
  4. Click Check In when you're done, or let it auto-expire
ℹ️

If a password is checked out by another user, you'll see who has it and when the checkout expires. You cannot reveal or check out a password that someone else holds.

Rotation Policies

Set a rotation schedule to ensure credentials are changed regularly:

  1. Open a password record
  2. Set Rotation Policy to the desired interval in days (e.g., 90)
  3. CMDB tracks last_rotated_at and calculates next_rotation_at
  4. When a password is due for rotation, it appears in the rotation queue

After rotating the credential on the actual system, update the password value in CMDB and it will reset the rotation timer.

RMM Password Reveal

Passwords can be revealed from within an RMM device context. When a technician accesses a password through the RMM interface, the audit log captures the rmm_device_id in addition to the user and IP — so you know exactly which device session triggered the reveal.

Audit Trail

Every password operation is logged with a 365-day retention period:

ActionWhen Logged
createdNew password record saved
updatedPassword value or metadata changed
deletedPassword record removed
viewedPassword list or detail page accessed
checked_outUser checks out password for reveal
checked_inUser releases checkout
reveal_via_rmmPassword revealed from RMM device context
rotatedPassword marked as rotated

Each log entry includes: user ID, user name, IP address, RMM device context (if applicable), and timestamp.

Next Steps