-
Title
Security Measures for Stored Credentials -
Description
This article contains information regarding how the appliance keeps the credentials safe. -
Resolution
On the appliance, the credentials are stored encrypted (AES 256 CBC) in the database, and the credentials are passed to the endpoint via execution calls when the SMA tells the agent to run a script or other action that requires credentials.
Within a secure agent tunnel (TLS 1.2), the credentials are passed as command line parameters, with the username, domain, and the encrypted password all encoded. Additionally, the password is not recorded in any logs, it is just displayed with a placeholder: xxxxxx.
For example, as konea launches KPlugins, which is launching runkbot, it will be launched with the credentials passed as command line parameters:
runkbot 49 1624385502 -launchtype=credentials -username=!ENC!dGVzdDE=!ENC! -domain=!ENC!aGVsbG9Xb3JsZA==!ENC! -password=xxxxxx
The username, and domain are encoded here, and password is encoded and encrypted. Runkbot will parse the credential, decrypt the password and use it to launch the program it is asked to run. Since the credentials are passed as a parameter, it isn't ever stored on the endpoint.