Rotate Privileged Credentials Using BeyondTrust Vault for PRA

It is a security best practice to rotate or change privileged credentials frequently. With BeyondTrust Vault, you can choose to set imported domain credentials to automatically rotate after each use, or you can manually rotate credentials at any time. Three actions trigger the automatic rotation of domain credentials:

  • Manually checking in a credential from the /login interface.
  • Leaving an access session where credential injection has been used.
  • Scheduled password rotation is enabled and the password has reached its maximum age.

Rotate Domain and Local Credentials Manually

  1. From the /login interface, go to Vault > Accounts.
  2. Rotate Password for a Vault Account

  3. Click the ellipsis (...) for the account password you wish to rotate.
  4. Select Rotate Password.

Once rotation is complete, the Password Age information updates with a time stamp of a few seconds.

 

Configure Automatic Rotation of Vault Credentials

  1. From the /login interface, go to Vault > Accounts.
  2. Click the ellipsis (...) for the account password you wish to configure.
  3. Vault Account Option to Automatically Rotate Credenitals after Check In

  4. Select Edit.
  5. Check Automatically Rotate Credentials after Check In.
  6. Click Save .

After each use, the account will automatically rotate.

 

Schedule Password Rotation for Vault Accounts

You can configure passwords to automatically rotate for all vault accounts when the password reaches a specified maximum age as follows:

Option to Enable Scheduled Password Rotation for Vault Accounts

  1. From the /login interface, go to Vault > Options.
  2. Check Enable Scheduled Password Rotation.
  3. Set the Maximum Password Age value in days.
  4. Click Save.

Accounts that are checked out are rotated after check in based on their configuration.