Credential Vault

Enterprise

Centralized, encrypted storage for all target credentials. Users connect through RedFox without ever seeing the underlying secrets.

Encryption

AES-256-GCM at rest

Every credential is encrypted with AES-256-GCM using a unique nonce. The master key is derived via PBKDF2 (600,000 iterations) from a passphrase set during initial setup. The passphrase is never stored.

Key hierarchy

Master key → per-credential data encryption key (DEK). DEKs are wrapped with the master key. Key rotation re-wraps all DEKs without decrypting stored secrets.

In-transit protection

Credentials are decrypted in-memory only at the moment of connection injection. They travel over the internal mTLS channel between the API and the proxy and are never logged.

Supported credential types

SSH keys

RSA, Ed25519, ECDSA. PEM or OpenSSH format. Optional passphrase (encrypted separately).

Username / password

For RDP, VNC, database and application targets.

Service accounts

API tokens, client secrets, bearer tokens for application proxying.

Database credentials

Connection strings for PostgreSQL, MySQL, MSSQL with role-based restrictions.

Configuration

  1. Initial setup — During the Setup Wizard, set the vault master passphrase. This passphrase is required on service restart.
  2. Add credentials — Navigate to Settings → Credential Vault and add entries. Each entry is associated with one or more targets.
  3. Assign to targets — In the target configuration, select the vault entry to use. RedFox injects it at connection time.
  4. Key rotation — Use the rotation button to change the master key. All DEKs are re-wrapped automatically.

Audit

  • Every credential access (read, inject, rotate) is logged in the WORM audit trail
  • Credential values are never included in logs or API responses
  • Failed decryption attempts trigger an alert

Need help setting up the vault? Contact [email protected]. For Enterprise licensing, reach out to [email protected].