Skip to content

SECRET SERVER FEATURE: Secure Vault and Password Manager

Protect enterprise privileged
accounts with military-grade security


Overview of Secure Vault and Password Manager:

Automation of complex tasks is crucial for administrators and DevOps teams to eliminate human error and allow an organization to scale. Many applications require passwords or keys in order to access third-party APIs, databases, or external resources. Any complex automation build-out will require access to passwords or keys to call APIs and access data.

Integrating custom and third-party applications with Secret Server allows you to avoid built-in application credentials and ensure proper control and management.


AES 256 Encryption

AES 256-bit encryption is the strongest encryption available for enterprise password management software and provides unsurpassed security.

In addition to at-rest encryption of secrets, Secret Server can also be used with SQL Server Transparent Data Encryption (TDE) for further data protection. SSL/TLS can be enforced on all connections to ensure end-to-end encryption.

Secret Server generates a unique encryption key during installation. This key is encrypted and kept in the encryption.config file or managed by an HSM. The combination of this file and your Secret Server database allows you to reconstitute your system at any point.


Login Password Protection

Secret Server hashes and salts local user passwords using a randomly generated salt and the PBKDF2-HMAC-SHA256 hashing algorithm. Active Directory logins authenticate directly against the domain, and their passwords aren't stored in the Secret Server database.


Multi-factor Authentication

Multi-factor authentication is an authentication method based on something you know (a password) and something you have (a one-time token/PIN…). It ensures that even if a password is stolen, a malicious user can’t use it to access Secret Server. It also assists in rapid account recovery.

You can use a variety of multi-factor authentication solutions, including your existing authentication infrastructure, to authenticate users before granting them access to Secret Server.

Duo Security supports push notifications directly to a user’s phone and hardware tokens such as YubiKey. If the user’s app or token isn’t available, they can also receive a phone call or text message for out-of-band authentication.

Google Authenticator or any soft token app that supports TOTP (Microsoft Authenticator, Duo, Amazon MFA) can also be used. Soft tokens are a free and quick way to add security to your login process if no commercial multi-factor solution is available.

Secret Server also supports any multi-factor provider that provides a RADIUS interface, an industry-standard implementation supported by most multi-factor providers.

MFA on individual secrets adds a layer of security to highly privileged account credentials. You can enforce MFA on individual credentials to ensure protected access is in place at every level while allowing a strategic passthrough time set by admins to keep teams productive and moving.

Learn more about Multi-factor Authentication


IP Address Restrictions

You can control the locations and networks from which users can gain access by configuring Secret Server to be accessible only by IP addresses within a specified range. This allows you to limit access to Secret Server to users who are “on network” and not accessing through VPN, etc.

Secret Server management features help you get started quickly and scale easily as you add more systems, users, and secrets.


Folders and Permissions

As your organization grows and you add secrets to your vault, Secret Server’s folder structure will help you stay organized. With folders, multiple teams can use a central vault while having access only to areas appropriate for them.

There isn’t a one-size-fits-all answer for how to organize your privileged passwords. Secret Server’s customizable folder structure allows you to set up access controls based on what makes sense for your organization. For example, you can organize folders based on:

  • Customers
  • Geographical locations
  • Business units
  • Different IT teams like DBAs, Unix admins and Windows Server admins.

You can nest folders at multiple levels to manage using a structure that suits you best.

Permissions can be assigned for folders, sub-folders, and secrets. For example, each user can be assigned a default personal folder where they can keep commonly used passwords such as website logins for support sites, API keys for developers, or assigned product licenses.

Folder management can be automated through the API for custom integrations with CMDB’s or IAM systems that need dynamic folder workflows.


File Attachments

IT departments must protect sensitive files such as network diagrams, license files, and SSL certificates while ensuring they are easily accessible to the right users. With Secret Server’s file attachments feature, you can upload sensitive files, and they will be encrypted and stored along with other privileged accounts. RBAC and permissions mean you have granular control over who can download and view attached files.


Active Directory Integration and SSO

Many organizations invest heavily in Active Directory to ensure users have a single identity across the organization. Leveraging your existing Active Directory groups and logins helps you quickly roll out Secret Server, reduce management overhead, and improve adoption.

Active Directory integration gives administrators a simple and effective way to automatically grant and revoke access to Secret Server with tools and policies that are already in place. By assigning access based on security groups, you won’t have to manually grant permissions every time a new admin needs access. By granting rights based on domain security groups, you can ensure that when users change roles, their rights in Secret Server also change appropriately.

Active Directory integration enables users to sign in with their normal domain account to gain access to privileged accounts, such as their domain administrator credential.

Microsoft also provides additional Single Sign On (SSO) and security options that Secret Server can leverage. With Integrated Windows Authentication or ADFS, you can provide SSO to Secret Server.

There may be some cases where Active Directory isn’t feasible due to separation of duties, environments under tight control, or no domain. In those situations, Secret Server does have its own user and group store and capabilities, and group membership changes can be delegated across teams to limit overhead.

Regardless of which user authentication methodology is right for your environment, you can use of Security Assertion Markup Language (SAML) for SSO.



IT departments seldom start from scratch when they implement Secret Server. Users already store passwords in spreadsheets, personal password managers, and text files. You can quickly get all users on board by importing existing passwords from other apps.

Secret Server’s Import feature simplifies integration with current and legacy systems and allows users to easily add large numbers of secrets or passwords from a CSV or XML file. As secrets are batch-imported by template, multiple types of input data must be imported in several batches.

You can use our migration tool to import passwords from third-party password managers. You can also do custom scripting with Secret Server’s API web services to build out an import process from a third-party or in-house application.


Web and Mobile Devices

Secret Server is a web-based application that can be accessed via any platform.

Secret Server has native apps for iPhone and Android. These mobile apps can be installed and configured in minutes.

Secret Server customers can access mobile applications from the Apple Store and Google Marketplace.


Start a Free 30-Day Trial of Secret Server