Credential Management in BeyondTrust Remote Support (On-Premises)

Credential Management with BeyondTrust Vault

BeyondTrust Vault is an on-appliance credential store, enabling discovery of and access to privileged credentials. You can manually add privileged credentials, or you can use the built-in discovery tool to scan and import Active Directory and local accounts into BeyondTrust Vault.

BeyondTrust Vault fits seamlessly with service desk workflow because it is integrated directly with the Remote Support solution. Technicians do not have to learn to use another tool or even exit BeyondTrust to retrieve passwords. With just one click in the BeyondTrust representative console, users can simply select the correct credential from the dropdown and log directly into a remote system - without ever having to know or even see the actual password.

Frequently Asked Questions about BeyondTrust Vault

What communication pathways are used with BeyondTrust Vault (ports, protocols, connection types, etc.)?

  • Active Directory and Discovery:
    • By default, discovery occurs over LDAP via the Active Directory Service Interface (ADSI) on port 389.
    • If LDAPS is enabled, Active Directory queries run over LDAP under an SSL/TLS layer on port 636, unless another port is specified. This transport-layer security encrypts all data communicated to and from Active Directory.
  • Windows Local Discovery
    • Local Windows accounts are discovered via a series of calls directly to Windows APIs.
    • These APIs use Remote Procedure Calls (RPCs) and named pipes as the network protocol.
    • The RPC process translates the request parameters as well as any response data into a standard, encoded format for transmission.
    • Protection is negotiated at the operating system level.

Where does encryption for BeyondTrust Vault occur?

  • Passwords and private SSH keys are encrypted at rest using AES-256-GCM in addition to any full disk encryption enabled for the Secure Remote Access Appliance.
  • Passwords and private SSH keys are encrypted in transit using an ephemeral public+private key pair when used for injection. This encryption occurs in addition to Remote Support's use of TLS to encrypt communication among all BeyondTrust components, such as the appliance, Jumpoint, customer client, etc.
  • Passwords are encrypted in transit by TLS.
  • Passwords used by Jumpoints to authenticate with Active Directory are never sent in plaintext to Active Directory.

Where is the Vault encryption key stored? Can it be accessed via /login or /appliance?

  • The Vault encryption key is needed to decrypt credentials managed by BeyondTrust Vault. This key is stored on disk in your Secure Remote Access Appliance.
  • For added security and protection, check out BeyondTrust Remote Support's Data at Rest Encryption functionality at .

  • The encryption key can be backed up by going to /login > Management > Software Management > Backup Vault Encryption Key. The backup file format used for the encryption key is the same .nsb file format used for configuration and reporting data.

Is the BeyondTrust application database encrypted, and if so, how?

  • BeyondTrust Vault stores data in an encrypted format in the database. If full disk encryption is enabled for your Secure Remote Access Appliance, the BeyondTrust application database is also encrypted. However, this is independent of the encryption performed by BeyondTrust Vault.

What best practices are recommended to maintain the highest level of security across all points of connection (discovery, injections, support, etc)?

  • BeyondTrust recommends using a valid CA-signed SSL certificate to protect communication among all BeyondTrust components.
  • Jumpoints should run on a system only a few privileged users have permissions to access.

For more information about Jumpoints, please see Remote Support Jumpoint Guide: Unattended Access to Computers in a Network.

At this time, there are no user-visible security settings for BeyondTrust Vault.