I'm concerned about the lack of documentation around the security features of PV Manager.
I'm considering moving over from Keepass, but the help documents and feature list aren't clear at all about if the following things are offered:
Key Transformation Rounds settings for master key
Entering Master Key on Windows Secure Desktop
In-Process memory encryption for passwords
Secure Edit Controls to prevent spy applications from reading values in edit control
Two-Channel Auto-Type Obfuscation
Additional Secure Fields for each entry
Data Store Connection Encryption (what is being done to ensure that the records are securely encrypted in the database and on the TCP/IP connection from the DB to the app and back)
Keepass offers a great "Security" page which explains how they implemented the necessary security features:
I would appreciate something like this for this application before I am willing to use it as a password manager.
<em>edited by n.west on 11/27/2012</em>
We will try to improve our security information. What type of data source in PVM do you plan to use (Xml, SQL Server)?
I'm evaluating the Enterprise edition of Password Vault Manager and would be interested in your answers to the security questions posed by n. west. Particularly, whether the data store itself is encrypted.
We'd be using a SQL Server or SQL Server Express database as the data source.
Indeed, you can apply a Security Provider that will encrypt the whole content of the database as described here :
The passwords are always encrypted with AES 256bits
As for all the other questions, I need to write up a whole white paper for that. We use SecureStrings to store passwords while in memory, but when using third party libraries (remoting, VPN, credential management...) sometimes they only accept strings, so it really depends on the technologies you use from within RDM.