BeyondTrust Secure Remote Access Integration with Password Safe


The Secure Remote Access integration with Password Safe enables automatic password injection to authorized systems through an encrypted BeyondTrust connection, which removes the need to share and expose credentials to privileged accounts. In addition to the automatic rotation and retrieval of managed local accounts, Password Safe can also retrieve linked accounts, giving domain admins and other privileged users access to those credentials on the targeted system. If enabled within the Privileged Remote Access /login administrative software, Password Safe Managed RDP and shell systems can be searched and accessed from the Privileged Remote Access access consoles.

You must purchase this integration separately for both your BeyondTrust Secure Remote Access Appliance and Password Safe solutions. For more information, contact BeyondTrust sales.

The Secure Remote Access integration enables:

  • One-click password injection and session spawning
  • Credentials to never be exposed to authorized users of BeyondTrust
  • Access to systems on or off the network with no preconfigured VPN or other routing in place
  • Passwords to be securely stored in Password Safe

Password Safe uses the BeyondTrust Endpoint Credential Manager (ECM) service to communicate with the Secure Remote Access Appliance. The ECM service is pre-installed with Password Safe, and configuring Secure Remote Access in Password Safe configures the API user, group, and registration. Once a Secure Remote Access connection is configured within Password Safe, users see a list of administrator-defined credentials for the endpoints they are authorized to access. A set of these credentials can be selected when challenged with a login screen during a remote session, and the user is automatically logged in, having never seen the username/password combination.

Password Safe handles all elements of securing and managing the passwords, so policies that require password rotation after use are inherently supported. The Secure Remote Access Appliance handles creating and managing the access to the endpoint, as well as recording and controlling the level of access granted to the user. This includes what the user can see and do on that endpoint.


  • Password Safe Cloud or On-premises 21.2 or later release
  • A Secure Remote Access Appliance
  • TCP Port 443 must be open for communication between the Password Safe API and the Secure Remote Access Appliance API
  • Searching and accessing Password Safe Managed Systems from the PRA access consoles requires:
    • A deployed Jumpoint in PRA.
    • The Password Safe installation must use the same user authentication method as Privileged Remote Access.
    • The Endpoint Credential Manager software must be version 1.6 or higher.