Security of SQL Database contents
Hi,
I'm thinking about my deployment, and Im' wondering what, if any, sensitive data is stored in cleartext in the database when using SQL Server.
I've already determined that team entries are stored at least mildly in cleartext, and it appears that user vault entries are encrypted in some manner, but I'd like a little insight into how those entries are encrypted; basically is there something in the database that could be used for decryption, should the DB get compromised, or are the entries encrypted with some sort of identifier for the user.
If there is something that could be used to decrypted entries in an offline database, I'd deploy to a different set of servers with stricter access control.
Thanks,
All Comments (1)
Hello,
To encrypt the database, you would need to configure a Security provider: https://docs.devolutions.net/kb/remote-desktop-manager/knowledge-base/security-providers-best-practices/
To review the security model, you can refer to https://cdndevolutions.blob.core.windows.net/documents/legal/security/security-encryption-en.pdf
If security is your primary concern, we recommend looking into Devolutions Server as a data source if you wish to stay in a self-hosted environment. It adds a web layer between the database and RDM, so the users do not have direct access to the database - https://devolutions.net/solutions/use-case/how-organizations-can-use-devolutions-server-to-improve-security-when-authenticating-remote-desktop-manager-users/ . It also includes many other improvements, such as AD, AAD, Okta groups that can be used for permission, Devolutions Gateway and PAM modules, Syslog integration, etc.
Let us know if you have any questions!
Best regards,
Richard Boisvert