Skip to main content

Skillber v1.0 is here!

Learn more

Credential Vaulting

Checking access...

Credential vaulting is the foundational capability of any PAM program. A credential vault securely stores privileged passwords, SSH keys, API tokens, and other secrets in an encrypted repository, then manages their lifecycle — checking credentials out on demand, rotating them after use, and maintaining a complete audit trail of every access.

Without credential vaulting, privileged credentials are stored in spreadsheets, shared via email, hardcoded in scripts, or memorised by administrators — all of which create unacceptable security risk.

Vault Architecture

Core Components

┌──────────────────────────────────────────────────────┐
│ CREDENTIAL VAULT │
├──────────────────────────────────────────────────────┤
│ ┌──────────┐ ┌──────────┐ ┌──────────────────┐ │
│ │ Encrypted │ │ Access │ │ Rotation Engine │ │
│ │ Storage │ │ Control │ │ │ │
│ │ (HSM) │ │ Engine │ │ - Scheduled │ │
│ └──────────┘ │ ┌─────┐ │ │ - On-checkout │ │
│ │ │PEP │ │ │ - On-demand │ │
│ ┌──────────┐ │ │PDP │ │ └──────────────────┘ │
│ │ Audit │ │ └─────┘ │ │
│ │ Engine │ └──────────┘ ┌──────────────────┐ │
│ └──────────┘ │ Session Proxy │ │
│ │ (optional) │ │
│ ┌──────────┐ └──────────────────┘ │
│ │ API & │ │
│ │ CLI │ │
│ └──────────┘ │
└──────────────────────────────────────────────────────┘
ComponentFunctionExamples
Encrypted StorageStores credentials at rest using AES-256 or strongerHSM-backed database, encrypted filesystem
Access Control EngineEnforces who can access which credentials and under what conditionsRBAC, approval workflows, time-based access
Rotation EngineAutomatically changes passwords/keys according to policyScheduled rotation, post-checkout rotation
Audit EngineLogs every credential access, rotation, and management actionSIEM integration, immutable audit log
Session ProxyOptionally proxies privileged sessions through the vaultNo direct network connectivity to targets
API & CLIProgrammatic access for automation and integrationREST API, SDK, CLI tools

Vault Deployment Models

On-Premises Vault

The vault is deployed within the organisation’s data centre.

ProsCons
Full control over security and complianceRequires infrastructure management
Air-gapped deployment possible (no external connectivity)Scaling requires additional hardware
Complete data sovereigntyHigher operational overhead

Cloud-Hosted Vault (SaaS)

The vault is provided as a managed service by a PAM vendor.

ProsCons
No infrastructure managementData stored in vendor’s cloud
Automatic scaling and high availabilityRequires network connectivity to cloud
Vendor handles patching and compliancePotential vendor lock-in
Built-in HA/DRData sovereignty considerations

Hybrid Vault

Credentials are distributed across on-premises and cloud vaults with synchronisation.

Best for: Large enterprises with both on-premises and cloud infrastructure that need unified credential management across environments.

Tip

Most enterprises should start with a cloud-hosted PAM solution for their primary internet-facing infrastructure and add on-premises vaults for legacy systems that cannot connect to cloud services. Avoid managing the vault infrastructure yourself unless you have dedicated PAM operations staff.

Password Rotation Policies

Rotation Triggers

TriggerDescriptionWhen to Use
Scheduled rotationPassword changed on a regular cadence (e.g., every 30, 60, 90 days)Service accounts, standard admin accounts
On-checkout rotationPassword rotated immediately after each checkoutHigh-risk accounts, shared admin accounts
On-demand rotationPassword rotated when manually requestedEmergency rotation, suspected compromise
Event-based rotationPassword rotated in response to a specific event (HR termination, security incident)User-specific privileged accounts

Rotation by Account Type

Account TypeRecommended RotationNotes
Local adminOn-checkout or every 30 daysLAPs manages unique password per machine
Domain adminEvery 30 days + on-checkoutCritical accounts — most aggressive rotation
Service accountEvery 90 days or managed by gMSAVerify no service interruption before rotation
Application accountEvery 90 days or per compliance requirementCoordinate with application owners
SSH keyEvery 180 days or key replacementRotate public key + deploy new key
Cloud IAM access keyEvery 90 daysCloud provider key rotation
Break-glass accountImmediately after each useEmergency accounts must be rotated after every access

SSH Key Management

SSH keys present unique management challenges because they are not centrally managed by design — each key pair is generated independently by the administrator.

SSH Key Lifecycle

SSH Key Discovery

Scan all systems for authorized_keys files, known_hosts files, and key pairs in user home directories. Identify orphaned keys (no corresponding user), shared keys (same key on multiple systems), and keys with no expiry.

SSH Key Inventory

Create a central registry of all authorised SSH keys with metadata: owner, purpose, creation date, expiry date, systems accessed, and last-used timestamp.

SSH Key Rotation

For each key pair: generate new key, deploy public key to authorised systems, verify connectivity, remove old public key, and archive old key pair for audit purposes.

SSH Key Monitoring

Continuously monitor for:

  • New unauthorized key pairs appearing on systems
  • Key pairs used from unexpected locations or at unusual times
  • Keys not present in the central registry (rogue keys)
  • Key pairs associated with terminated employees

SSH Key Management Best Practices

PracticeImplementation
Centralised key managementVault-like solution for SSH keys with automated rotation
Remove key-based root accessRequire vault checkout for root access — no standing SSH keys for root
Short-lived certificatesUse SSH certificates (signed by a CA) instead of raw key pairs for automation
Key usage monitoringLog every SSH key authentication with source IP, timestamp, and target system
Orphaned key cleanupQuarterly scan for keys without corresponding active users
Key expiry enforcementSet maximum key lifetime (180 days recommended)

Secrets Management

Secrets management extends vaulting beyond passwords to include API tokens, database connection strings, certificates, and other sensitive configuration data used by applications and automation.

Secrets Management vs PAM Vaulting

CharacteristicPAM VaultSecrets Manager
Primary usersHuman administratorsApplications and automation
Access patternInteractive checkoutProgrammatic API call
Credential typesPasswords, SSH keysAPI keys, connection strings, certificates
Rotation triggerScheduled, on-checkoutScheduled, dynamic (pre-rotation)
Cache/bufferMinimalClient-side caching for performance
IntegrationRDP, SSH, web portalsCI/CD, Kubernetes, application code

Vault Operational Best Practices

PracticeRationalePriority
Defense in depthVault encryption + HSM + access controls — any single control can failCritical
Zero-standing credentialsNo user should have permanent knowledge of a privileged passwordCritical
Approval workflowsRequire at least one approver for high-risk credential accessHigh
Justification requiredUsers must provide a ticket or reason for each credential checkoutHigh
Automatic rotation after checkoutEnsures each checkout gets a fresh credentialHigh
Session proxyPrevent direct network connectivity to managed systemsHigh
Vault health monitoringMonitor vault availability, sync status, and capacityMedium
Disaster recoveryReplicate vault to secondary site with failover capabilityMedium
Regular DR testingTest failover, restore, and break-glass procedures at least annuallyMedium

Danger

The vault is a single point of failure for privileged access management. If the vault goes down, administrators cannot access credentials to manage systems. Deploy the vault in a highly available configuration with geographic redundancy, and maintain an offline break-glass procedure as the ultimate fallback.

Key Takeaways

  • Credential vaulting is the foundational PAM capability — it securely stores privileged credentials, manages their lifecycle, and provides a complete audit trail
  • Vault deployment models include on-premises (full control but high overhead), cloud/SaaS (managed but data sovereignty considerations), and hybrid (best for mixed environments)
  • Password rotation should be triggered by schedule, checkout, on-demand, or events — with rotation frequency determined by account type and risk level
  • SSH keys require dedicated management (discovery, inventory, rotation, monitoring) because they are decentralised by design and easily orphaned
  • Secrets management extends vaulting to application credentials (API keys, connection strings, certificates) with programmatic access patterns suited for CI/CD and automation
  • Operational best practices include zero-standing credentials, approval workflows, automatic rotation, session proxying, and regular DR testing — treat the vault as a critical system requiring high availability