Credential Vault
Secure, encrypted storage for all network credentials.
Overview
The credential vault provides centralized, encrypted storage for all credentials used to access network devices. Credentials never leave the Controller and are used only when establishing connections.
- AES-256-GCM encryption at rest
- Master key derived with Argon2
- Role-based access control
- Audit logging for credential access
Security Model
Zero Standing Privileges
Users never see or handle raw credentials. When connecting to devices, the Controller uses credentials on behalf of the user without exposing them.
Access Control
- Credentials are assigned to folders
- Users/roles are granted access to folders
- Optional: Require approval for privileged access
Note
Password reveal requires the ViewPasswords permission and creates an audit log entry.
Credential Types
| Type | Use Case |
|---|---|
| SSH Password | Password authentication to devices |
| SSH Key | Key-based SSH authentication |
| SSH Certificate | Certificate-based auth (with CA) |
| API Token | REST API authentication |
| SNMP Community | SNMP v1/v2c access |
| Generic Secret | Any other sensitive data |