DocumentationRelease Notes
Log In
Documentation

Vault FAQs

Suggest Edits
What communication pathways are used with BeyondTrust Vault (ports, protocols, connection types, etc.)?

Active Directory and discovery:

  • By default, discovery occurs over LDAP via the Active Directory Service Interface (ADSI) on port 389.
  • If LDAPS is enabled, Active Directory queries run over LDAP under an SSL/TLS layer on port 636, unless another port is specified. This transport-layer security encrypts all data communicated to and from Active Directory.

Windows local discovery:

  • Local Windows accounts are discovered via a series of calls directly to Windows APIs.
  • These APIs use Remote Procedure Calls (RPCs) and named pipes as the network protocol.
  • The RPC process translates the request parameters as well as any response data into a standard, encoded format for transmission.
  • Protection is negotiated at the operating system level.
Where is the Vault encryption key stored? Can it be accessed via /login or /appliance?
  • The Vault encryption key is needed to decrypt credentials managed by BeyondTrust Vault. This key is stored in one of the credential stores configured on the appliance.
  • The encryption key can be backed up by going to /login > Management > Software Management > Backup Vault Encryption Key. The backup file format used for the encryption key is the same NSB file format used for configuration and reporting data.
Where does encryption for BeyondTrust Vault occur?
  • Passwords and private SSH keys are encrypted at rest using AES-256-GCM in addition to any full disk encryption enabled for the BeyondTrust Appliance B Series.
  • Passwords and private SSH keys are encrypted in transit using an ephemeral public+private key pair when used for injection. This encryption occurs in addition to Secure Remote Access's use of TLS to encrypt communication among all Secure Remote Access components, such as the B Series Appliance, Jumpoint, customer client, etc.
  • Passwords are encrypted in transit by TLS.
  • Passwords used by Jumpoints to authenticate with Active Directory are never sent in plaintext to Active Directory.
Is the Secure Remote Access application database encrypted, and if so, how?

BeyondTrust Vault stores data in an encrypted format in the database. If full disk encryption is enabled for your B Series Appliance, the Secure Remote Access application database is also encrypted. However, this is independent of the encryption performed by BeyondTrust Vault.

What best practices are recommended to maintain the highest level of security across all points of connection (discovery, injections, support, etc.)?
  • BeyondTrust recommends using a valid CA-signed SSL certificate to protect communication among all Secure Remote Access components.
  • We recommend that Jumpoints run on a system only a few privileged users have permissions to access.

ℹ️

Note

There are no user-visible security settings for BeyondTrust Vault.

Updated 5 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.