Sneak Preview: HSM Data Encryption with SafeNet

16 11 2012

We’re working with SafeNet, an industry leader in data protection, to bring hardware data encryption to Secret Server. We’re adding support for SafeNet’s Hardware Security Modules, or HSMs.

SafeNet LUNA

Pictured: SafeNet LUNA PCI HSM

SafeNet’s Luna PCI HSM (pictured) is FIPS 140-2 Level 2 and 3 compliant, bringing a new level of data protection to your enterprise.

When Secret Server is configured to use SafeNet’s HSM, Secret Server will no longer store the encryption key on the server or perform the actual encryption and decryption. Instead, the encryption key is stored inside the device, and the device itself performs the encryption and decryption. Secret Server at no point is aware of the keys being used to encrypt or decrypt data. All the encryption and decryption stays in the hardware.


When an HSM is available, Secret Server will allow selecting the encryption key storage location during installation.

Installation HSM

SafeNet’s HSM also allows redundant configuration of two or more HSMs to ensure zero loss of data and Secret Server is always available.

We are pleased to be adding this capability to Secret Server and have enjoyed working with the smart folks over at SafeNet. The SafeNet HSM support will be available in the next release of Secret Server.

Secret Server and DoubleLock

13 09 2012

Do you have a need for additional security when storing your most sensitive data?

Where do you store the company’s banking account numbers and other critical financial data?  …top-level credentials for your customer database that contains Credit Card and Social Security numbers?  …credentials for classified system access?

When you need that additional layer of security within an already secure system, DoubleLock is your answer.  DoubleLock encrypts Secret data with an additional encryption key that is only accessible with an additional password that is unique per user, regardless of permissions or physical access to the machine running Secret Server. Private/public key encryption technology enables you to securely share access to the DoubleLock between users.

Benefits of enabling the DoubleLock feature include:

  • Secrets cannot be decrypted even if Secret Server is compromised.
  • Secrets cannot be decrypted even when someone is accidentally granted permissions to a Secret based on AD group membership.
  • DoubleLock provides an additional grouping of privilege to grant select individuals access to highly sensitive data.

There is one caveat to consider when using DoubleLock:

Resetting a forgotten DoubleLock password is irreversible and can result in permanent loss of the data. In the case that a user has sole access to a DoubleLocked Secret, the data will be lost and the Secret locked with that DoubleLock key will be deleted.  However, if another user has access to the Secret, they will need to re-assign you to the DoubleLock.

When resetting a DoubleLock password, a list of the assigned DoubleLocks and the Secrets they protect are displayed for the user.  Check that the secrets have at least one additional user with DoubleLock access.  This way, the data is not deleted due to a forgotten DoubleLock password.

To enable DoubleLock, a password will need to be created.  In Secret Server, click: Tools menu -> Create DoubleLock Password -> enter the desired Password (minimum 8 characters) -> Create Password.  Then, click on the Administration menu -> DoubleLock -> Create New button -> type a Name for your DoubleLock -> Save.

Now that a DoubleLock has been created, assign the appropriate users and secrets to the DoubleLock.  In more complicated environments, multiple DoubleLocks can be created.  Each of these DoubleLocks can be assigned their own set of users.  To assign DoubleLock to a secret, click the Edit button on the desired secret.  Then, click the Security tab -> check the Enable DoubleLock box -> select the appropriate DoubleLock in the dropdown menu -> Save.  Remember that the DoubleLock selected will already have a list of defined users.

As a safety net, always have at least 2 users for each DoubleLock to avoid the potential loss of data if the DoubleLock password has to be reset.

SSL Certificates, License Keys & More in Secret Server

27 08 2012

Do you have copies of your SSL Certificates, Licensing Data, and Support Documentation?  Of course!  Can you easily search for all of those files with a single term?  Maybe.  Is it well-organized, access-controlled, and verified?  Maybe not.

Secret Server supports the functionality above by simply building a Secret Template with the proper settings.  For example:  Instead of using DFS or a SharePoint plug-in to store your documentation and important files, why not leverage Secret Server?  You’ve already committed your Admin username and password.  By editing a Secret Template, you can easily create a designated file location for each workstation, server, and appliance in your network.  Once you’ve created the template, you’ll know precisely where all your documentation is stored.  When coupled with adequate Disaster Recovery plans (Microsoft SQL Clusters, Mirroring the database, or a frequent database backup), you’ve added additional layers of protection to your critical technical documents.

Storing documents in Secret Server has distinct advantages beyond access control and redundancy.  First, Secret Server admins can require fields to contain data before saving new secrets.  While you can’t control the quality of the documents that people might store – but at least you will know that a document was saved.  Second, these documents are encrypted in the Secret Server database.  Third, the documents can be relayed to a coworker or a third party with a simple http link.  (Note the previous blog post about this.)

Secret data saved using the "Hardware - Remote Desktop" Secret Template.

Secret data saved using the “Hardware – Remote Desktop” Secret Template.

Making a Secret Template may take some thought about what your organization finds useful.  However, once you’ve created a template, it’s very easy to edit, copy, and enhance.  One potential side benefit of structuring the above information is data in Reports.  Using some extra data points like I have in this Template may be of benefit in Secret Server Reports.

Thycotic’s Secret Template Gallery contains the content for the Secret Template I created above.  The Template can be found by searching “Hardware Remote Desktop” or by using this direct link.  Import this or any template by clicking Administration -> Secret Templates.  Paste the XML into the Import Secret Templates text box and click the Import button.

If you think you have a great and useful Secret Template, comment below!  We want to hear about it and what makes it useful.

Using Secret Server Links to Securely Transmit Sensitive Data

24 08 2012

Having been a Systems Engineer, I’m familiar with the problem of sharing credentials.  My method for sharing login credentials with a colleague consisted of access to a spreadsheet with everything or a Post-it that would be shredded (hopefully).  However, with Secret Server, System Admins are easily able to share credentials with colleagues by sending them a simple URL format:


  • “SERVERNAME” is the DNS name or IP Address of the server that hosts Secret Server.
  • “VIRTUALDIRECTORY“ is the name of the Virtual Directory used when Secret Server was installed.  Typically, this is “SecretServer”.
  • “SECRETNUMBER” is the actual number associated with the secret data as found in your instance of Secret Server.  This number increases sequentially as secrets are added.

For instance, the secret of a test server I have installed is shared with this link:

Note: Using this link requires Secret Server login permissions and permissions for that user to at least view the secret you’re trying to share.

The elegance of this method is that users can share credentials between them through email.  The use of the data and permission to use the data is still controlled by a Secret Server Administrator.  It’s worth mentioning is that all of this activity is logged and reportable within Secret Server.

Admins with the need for additional security can link to a secret that has a Launcher enabled and the password is hidden from users.  This way, an Engineer can directly link to a secret’s launcher with a coworker.  The coworker can use the credential to login via Remote Desktop (or any other launcher functionality) to a server without knowing the actual credentials.

Hide Launcher Password is a feature that allows the password field of a secret to remain hidden from view or clipboard access, but still usable by the launcher.  The activity is completely logged in Secret Server and nothing was written down, able to be copied, or shared with anyone but those that have express permissions in Secret Server.  Enable this security feature by clicking the Edit button for a secret, then Security tab -> Edit button -> check Hide Launcher Password -> Save button.

The use of links go beyond email.  Admins could also use these links in support documentation for applications or systems.  In the documentation, a link to Secret Server data can be embedded in place of the actual admin credentials.  This would negate the need for a document-based password protection scheme.

Unlimited Administrator Mode Suggestions from a Secret Server Admin

20 08 2012

While responding to a different but related forum question, a Secret Server Admin made a good point:  Split the ability to enable Unlimited Administrator Mode and the ability to use it.  This is outlined in the Secret Server Best Practices Guide.  Here is a quote from the forum post:

1.) I encourage this on all SS installs. Separate the roles of both Enabling Unlimited Admin mode and Unlimited Admin from a user. Configure SS to require that one (or more) people are the only ones that can enable Unlimited Admin mode but not be an Unlimited Admin. The opposite for the Unlimited Admin, they shouldnt be able to put SS in Unlimited Admin mode. This prevents a single person from having the ability to flip the god switch.
2.) Setup event subscriptions/notifications that email all users of SS when Unlimited Admin mode is enabled.
3.) Direct all users to the appropriate report(s) that show what an Unlimited Admin did while that mode is enabled.

Splitting these roles into two different users or groups of users adds an additional layer of accountability to Secret Server.  One Administrator will not have the ability to authorize a switch to Unlimited Administrator Mode and consequently gain access to all of the secret data stored in the database.

Do you have questions, comments, and concerns about Unlimited Administrator Mode?  Please post in our forums:

Secret Server SMTP Authentication

7 08 2012

As a tie-in to our previous blog post Secret Server and Secure LDAP, SMTP Authentication was another important feature released in Secret Server version 7.8.000036. SMTP Authentication was implemented as a direct result of customer requests. Many of our clients work in environments that require secure messaging. In this release and beyond, Secret Server now has the ability to authenticate to an SMTP server, use SSL, and even specify a custom port.

Some background: Notifications sent via email from Secret Server can contain sensitive information (but never passwords, of course.) The most common risks include spam, false or fraudulent claims, personal threats, social engineering risks (phishing, imposters, etc.), or even virus & malware propagation. While this solution does not offer protection against compromised accounts, it does severely limit the risks associated with running SMTP servers. In response, many organizations require SMTP authentication and SSL connections to their internal servers (as well as other requirements beyond the scope of Secret Server.)

We recommend using SMTP Authentication and SSL if possible. Enable SMTP Authentication is a short and simple process. You can access these settings in Secret Server with the following clicks:

Administration -> Configuration -> Email (see below)

SMTP Authentication options in Secret Server

SMTP Authentication was another important feature released in Secret Server version 7.8.000036. Access it via: Administration -> Configuration -> Email

As with any blog post, Secret Server, or general Thycotic Software question, please comment below or find support information here:

Secret Server and Secure LDAP

23 07 2012

In April 2012, we released Secret Server v7.8.000036.  This was the first release to include support for Secure LDAP often referred to as LDAPS (and not to be confused with SLAPD!)  Subsequent releases of Secret Server will support LDAPS.  Since the release of LDAPS, it has remained a bit of an unintentional secret (no pun intended).  If you have Secret Server installed, check to see if you can enable Secure LDAP in your environment.

Using LDAPS:

Upon installation, Secret Server will use port 389 for LDAP traffic to Domain Controllers.  This does NOT mean passwords are transmitted in clear text.  It means that user and group names will be translated in clear text.  Passwords will be transmitted using Kerberos/NTLM.  However, with LDAPS available, all traffic including the user and group names will be encrypted.

Before enabling LDAPS, there is one feature that can potentially be affected.  If you are using a Domain Controller on Windows Server 2008 R2, Integrated Windows Authentication is supported with Secure LDAP.  However, if you are using Windows Server 2008 or older, Integrated Windows Authentication will have to be disabled when Secure LDAP is used.

How to enable LDAPS:

  1. Click on Administration -> Active Directory -> Edit Domains -> Select the domain you wish to edit (you can also create a new one here.)
  2. Click on Advanced as highlighted in the figure below.
  3. Put a check in the Use LDAPS box.
  4. Click Save And Validate.


Secret Server will now attempt to use LDAPS over port 636!  As with all Secret Server updates, the release notes are always published here:

Inheriting Permissions Based on Folders

29 07 2011

Inheriting Permissions based on Folders

It is possible for Secrets in Secret Server to inherit permissions from the folder where they are placed. For example, if you install a new managed switch in your network, instead of setting an Active Directory group or users for every network-based Secret, you set the Active Directory group or individual user accounts to the folder. That way, when an admin enters a new Secret into Secret Server they don’t have to worry about selecting all the people that need access. Instead, they can place it into the correct folder that already has the correct permission level. Not only does it save time, but it also ensures that everyone who needs access to a Secret has it.

Adding Permissions to a folder
First, move your mouse to the Administration tab, then select Folders.

Then select the folder you want to edit permissions on, select edit

From here you can add Active Directory groups and individual Secret Server users. They will have access to any Secret that inherits permissions with the level you select.

Having a Secret Inherit Permissions From a Folder

Click to expand the Secret, and then select view.

Now, select share.

From here, select edit.

Finally, check the “Inherit Permissions from folder” box.

That’s it! Now any user in the Active Directory group or one you manually added to the folder permissions will have access. You can also turn on this behavior by default with the “Default Secrets Inherit Permissions” setting on the configuration page. It is important to note that a user with folder-based permissions will have that level of access to any Secret in the folder .

Secret Server iPhone app does not use keychain

15 03 2011

There have been some movies going around lately showing how to compromise an iPhone and reveal all the stored passwords in the Apple keychain in minutes.

David from our engineering team talks about how the Secret Server password app for iPhone is not susceptible to this type of attack because it uses its own files for encryption along with a randomly generated key that includes device specific information.

David talks about encryption on Secret Server iPhone app.

Folders are coming to the Secret Server iPhone app

6 05 2010

Here are some sneek screenshots of the new folder capabilities in the iPhone password manager app:


This will allow you to browse folders for customers, teams, servers or different parts of your organization and easily find Secrets within those folders. You are also able to search by folder, create new folders and assign Secrets to folders.


We are also working on offline caching capabilities for the next iPhone app release. Stay posted – the new version will be out before the end of May 2010!


Get every new post delivered to your Inbox.

Join 30 other followers