Password Rotation

Enterprise

Automated credential rotation ensures passwords and keys are changed on schedule, reducing the risk of credential theft and reuse.

How it works

Define a policy — Set rotation interval (e.g. every 30, 60 or 90 days), password complexity rules and notification preferences.
Assign to credentials — Attach the rotation policy to one or more vault entries. Each credential type has a dedicated rotation provider.
Automatic rotation — RedFox connects to the target system, changes the password, updates the vault, and verifies the new credential works.
Notification — On success or failure, notifications are sent via Slack, Teams or webhook. Failures trigger a retry with exponential backoff.

Password change via passwd over SSH. SSH key rotation (generate new Ed25519 key, deploy to authorized_keys, remove old).

Password change via WinRM or RDP channel. Active Directory service accounts via LDAP.

PostgreSQL (ALTER ROLE), MySQL (ALTER USER), MSSQL (ALTER LOGIN). Connection verified after rotation.

Webhook-based rotation for custom systems. RedFox sends the new credential to your endpoint; you handle the change.

Navigate to Settings → Credential Vault → Rotation Policies to create and manage policies. Each policy defines:

Interval — days between rotations (minimum 1 day)
Complexity — minimum length, character classes, no reuse of last N passwords
Window — maintenance window during which rotation occurs (e.g. 02:00-04:00 UTC)
Retry — max attempts, backoff multiplier
Notifications — success/failure channels

Rotation history is recorded in the WORM audit log (old credential values are not stored)
New passwords are generated using a CSPRNG and immediately encrypted in the vault
If rotation fails, the previous credential remains valid and an alert is raised
Manual rotation can be triggered at any time from the UI or API

Need help with rotation policies? Contact [email protected]. For Enterprise licensing, reach out to [email protected].