Secure, Central Vault¶
The Vault module forms the core of Securden Password Vault, Enterprise PAM, and Unified PAM products. Securden runs on a dedicated central server connected to a backend database. The vault is implemented as a fully access controlled and highly available cluster of application servers. While the server handles all the business logic, endusers connect to it using any standard web-browser.
The design of the vault¶
Every installation is secured with an automatically generated, unique random key. The key serves as the master key for various encryption operations in the digital vault.
Data Storage¶
All sensitive data gets stored in an encrypted form inside the digital vault. Securden uses the AES-256 algorithm to do the encryption.
- The sensitive data provided as input to the Securden server is encrypted using the unique installation key. This happens at the application level.
- The encrypted data is securely stored in the database.
Data Integrity¶
- The encryption key cannot be held together with the encrypted data.
- The encryption key is needed only for starting the Securden vault. It has to be kept somewhere outside and made available to the Securden server during startup.
Even if the database gets into a malicious user's hands, sensitive data cannot be deciphered in plain-text without the installation key.
Database connections¶
The database accepts only secure connections. Clients can connect only from the same localhost. In high availability configuration, where the server and the database run on different servers, the database accepts connections only from specific IP addresses.
Design Highlights
- Data Encryption and Storage
- AES-256 encryption.
- Encryption key separated from encrypted data.