Applies to: All versions of Centrify Deployment Manager.
Question:
- What type of database is used by Centrify Deployment Manager?
- What is the encryption used?
- What is the encryption key that ensures that only the user account that encrypts them can decrypt?
- Is there any way to prevent the storage of credentials in the application completely?
Answer:
- Centrify's Deployment Manager uses Microsoft's SQL Server Compact Edition
- The database's file extension is .sdf
- Centrify uses Data Protection application programming interface (DPAPI) from Microsoft to do the data protection.
- Deployment Manager uses the AD users' own credentials as the encryption key.
- When you enter account information in Deployment Manager, the user name and password are securely stored in the Deployment Manager repository and are available only to the user who creates them. In addition, all passwords in the repository are encrypted with the access token of the currently logged on Windows user. Therefore, even if other users have access to the Deployment Manager repository, they cannot decrypt stored passwords because they do not have access to the Windows user account and password used to encrypt the information. Decrypting a stored password requires the user who created the password in Deployment Manager to log on and access the database from the same computer used when the password was encrypted.
- The idea behind Deployment Manager is automation.
- In order to automate tasks across hundreds of systems, the credentials stored are used to connect to systems and perform privileged operations like installation of Centrify's software and management of local accounts.
- Otherwise the application would have to prompt the user for a password every time a connection or privileged operation is performed.