Passwordstate utilises a number of techniques to ensure the security of your password credentials.
One of these is implemented automatically during installation, when two unique encryption keys are created. These encryption keys use a 256 Bit AES (Advanced Encryption Standard) Encryption, first adopted by the U.S. government and now used worldwide. The keys provide the encryption of passwords as well as the HMAC-SHA512 hash used to ensure the integrity of the database.
These encryption keys are split into 4 secrets that are independently stored in different locations. The reason for this is it would require more than one of your Windows Servers to be compromised, to obtain your encryption keys, and access your privileged account credentials.
Whilst not covered in this blog, it is highly recommended that you follow Click Studios best practice approach to securing your Passwordstate instance, by encrypting your Web.config file. You can find the details on how to do this here.
Split Secrets file locations:
As mentioned above, the two encryption keys are split into 4 secrets, with 2 of the split secrets stored on your Passwordstate Server in the Web.config file. The other 2 split secrets are stored within the Passwordstate database itself.
The Web.config file is located by default in the root directory of your Passwordstate installation or C:\inetpub\passwordstate. It contains the first 2 secrets (Secret1 and Secret2) under the <appSettings> section. An example is show below;
Your Database for Passwordstate contains the remaining 2 secrets (Secret3 and Secret4) in the Passwordstate table. To extract these, you’ll need to use Microsoft’s SQL Management Studio tools to connect to your database server and execute the following query;
USE Passwordstate
SELECT EA_Password, Secret3, Secret4 FROM SystemSettings
Note: If you ever lose or forget your Emergency Access Password you can request Click Studios to generate a new one for you. To do this email us and provide a copy of your Web.config file (so we can access your Secret1 and Secret2) as well as the details from the SQL query above. We’ll then recreate an Emergency Access Password for you, and suggest that once you have access again, that you change this and rotate your encryption keys
Exporting your Encryption Keys:
It is extremely important to export the full set of your Encryption keys and store these safely outside of Passwordstate. In the event of a disaster, and you are unable to locate a copy of your Web.config file, Click Studios will be unable to help you rebuild your Passwordstate environment.
When you export your encryption keys, they are written to a password protected Zip file. To do this navigate to Administration->Encryption Keys and click on Export Keys;
You are then presented with an information screen and a button to Export the Keys;
At this stage you’ll need to specify a password for the Zip file that is about to be created and then click on Export Keys;
You will then be presented with a Save As dialog box. Select the folder you wish to save the Password protected Zip file to. Note: the file name includes the date and time the export was performed;
You should also note that the exporting of encryption keys is automatically logged as an auditable event.
Restoring your Passwordstate Server:
You MUST have a copy of both your Web.config file and your Passwordstate database to be able to restore your Passwordstate instance in the event of a disaster. Without these two Click Studios will not be able to assist you in recovering your password credentials.
In the event you need to build a new Database Server or Web Server then please follow the links below for detailed instructions;
Moving Passwordstate to a new Database Server here
Moving Passwordstate to a new Web Server here
As always, we welcome your feedback via support@clickstudios.com.au.