Sensitive Data in the Kron PAM Database
Kron PAM stores all kinds of sensitive data:
Module | Sensitive Data | Encryption method |
---|---|---|
Core | Global system parameter: aioc.backup.ftp.password | AES256 |
Core | Global system parameter: netright.jdbc.password | AES256 |
Core | Global system parameter: hsm.keystore.load.password | AES256 |
Core | Global system parameter: hsm.keystore.entry.password | AES256 |
Core | Global system parameter: sc.integration.ldap.password_n, where n could be 0 or more (natural number) | AES256 |
Core | Global system parameter: sc.device.integration.ldap.password_n, where n could be 0 or more (natural number) | AES256 |
Core | Global system parameter: device.database.password_n, where n could be 0 or more (natural number) | AES256 |
Core | Global system parameter: http.proxy.ssl.ca.password | AES256 |
Core | Global system parameter: sc.aaa.freeradius.password | AES256 |
Core | Global system parameter: mail.password for email server | AES256 |
Core | User Accounts: local user account passwords | SHA256 |
Core | User Accounts: external user account passwords (LDAP or Active Directory) | Not stored |
Core | SSH Key Management: local user account SSH private key | AES256 |
Core | SSH Key Management: local user account SSH public key | Plain |
Core | SSH Key Management: local user group SSH private key | AES256 |
Core | SSH Key Management: local user group SSH public key | plain |
Session Manager | globalPassword in Device Group parameters | AES256 |
Session Manager | globalEnablePassword in Device Group parameters | AES256 |
Session Manager | globalSshKey in Device Group parameters | AES256 |
Session Manager | globalSecretKey in Device Group parameters | AES256 |
Session Manager | Device parameter: remoteDesktop.sftp-password | AES256 |
Session Manager | Password (or other sensitive data) typed in RDP/VNC sessions with configured key logging | Masked |
SAPM | new.password.encryption.key | AES256 |
SAPM | super.password | AES256 |
SAPM | Account passwords | AES256 |
SAPM | Account old passwords | AES256 |
SAPM | Account secret data | AES256 |
SAPM | Account SSH key | AES256 |
SAPM | Account SSH key passphrase | AES256 |
AAPM | AAPM account token | AES256 |
AAPM | Service Account Password | AES256 |
AAPM | “OS Account Password” for security level of “Basic + PIN + Path” and “Basic + PIN + Path + Hash” | AES256 |
RADIUS | “Certificate Private Key Password” in Radius 802.1x Config | AES256 |
Data Access Manager | Data Source Passwords | AES256 |
Cloud integration | AWS API Key | Plain |
Cloud integration | AWS Secret Key | AES256 |
Cloud integration | Azure Client ID | Plain |
Cloud integration | Azure Tenant ID | Plain |
Cloud integration | Azure secret key | AES256 |
Cloud integration | Azure Subscription ID | Plain |
Cloud integration | Google Cloud Platform client secret | AES256 |
MFA | 2FA Provisioning: user token | Plain |
MFA | 2FA Provisioning: user group token | Plain |
Controller | Instance SSH key | AES256 |
Controller | Instance password | AES256 |