Credential Management

Secure credential management is critical for successful infrastructure discovery. Tripl-i provides enterprise-grade credential vaulting with encryption, access control, and audit capabilities to ensure your discovery credentials remain secure while enabling comprehensive infrastructure scanning.

Credential Vault Architecture

Security model

Encryption standards

Tripl-i uses industry-leading encryption to protect your credentials at every stage.

Encryption at Rest

Property	Details
Algorithm	AES-256-GCM
Key Management	AWS KMS, Azure Key Vault, HashiCorp Vault, Local HSM
Key Rotation	Automatic, 90-day default cycle

Encryption in Transit

Property	Details
Protocol	TLS 1.3
Certificate	4096-bit RSA or P-384 ECDSA
Perfect Forward Secrecy	Enabled
Cipher Suites	TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256

Credential Types

Tripl-i supports a wide range of credential types to cover your entire infrastructure landscape.

Windows credentials

Domain Credentials

Use Active Directory domain credentials to discover Windows servers and workstations joined to your domain.

Fields required: Domain (e.g., CORP\discovery_user), Password, optional Kerberos toggle, optional Alternative UPN (e.g., discovery@corp.local)
Permissions required:
- Domain Users membership
- Read access to Active Directory objects
- Remote WMI access
- Performance Monitor Users
- Event Log Readers
Best practices:
- Use a dedicated service account for discovery
- Enable "Password never expires" on the service account
- Perform regular audits of account permissions
- Monitor account usage for anomalies

Local Administrator

Use local Windows accounts for machines that are not domain-joined.

Fields required: Username (e.g., .\admin_discovery), Password, optional NTLM toggle
Usage scenarios:
- Workgroup computers
- Non-domain systems
- Isolated networks
- DMZ servers

Linux/Unix credentials

SSH Key Authentication (Recommended)

SSH key-based authentication provides the strongest security for Linux and Unix discovery.

Fields required: Username (e.g., discovery), Private Key, optional Passphrase
Supported key types: RSA-4096, ED25519
Setup requirements:
- Generate a dedicated discovery key pair
- Deploy the public key to each target system
- Configure limited sudo access on targets for commands like hardware inventory and network statistics

Password Authentication

Use password-based SSH when key-based authentication is not available.

Fields required: Username, Password, optional separate Sudo Password, Enable Sudo toggle
Security notes:
- Less secure than key-based authentication
- Use only when key deployment is not possible
- Implement fail2ban or equivalent brute-force protection on target systems
- Monitor authentication logs for suspicious activity

Network device credentials

SNMPv3 Credentials

SNMPv3 provides secure monitoring of network devices with authentication and encryption.

Fields required: Username (e.g., tripl_i_ro), Authentication Protocol and Password, Privacy Protocol and Password, optional Context
Supported authentication protocols: SHA-256
Supported privacy protocols: AES-256
Security levels:

Level	Description	Recommendation
noAuthNoPriv	No authentication, no encryption	Not recommended
authNoPriv	Authentication only, no encryption	Minimum acceptable
authPriv	Full authentication and encryption	Recommended

Network Device SSH/Telnet

Connect to network devices using their command-line interface.

Fields required: Protocol (SSH preferred, Telnet as fallback), Username, Password, optional Enable Password (for Cisco devices), Port
Supported vendors: Cisco IOS/NX-OS, Juniper Junos, Arista EOS, HP/Aruba

Cloud credentials

AWS Credentials

Discover your AWS cloud infrastructure by providing IAM credentials.

Fields required: Access Key ID, Secret Access Key, optional Session Token (for temporary credentials), Region, optional Assume Role ARN
Required IAM permissions: Read-only access to EC2, RDS, Elastic Load Balancing, Auto Scaling, and CloudWatch services (Describe and List actions)

Azure Credentials

Discover your Azure cloud resources using a Service Principal.

Fields required: Tenant ID, Client ID, Client Secret, optional Subscription ID (to limit scope to specific subscriptions)
Required Azure roles:
- Reader on target subscriptions or resource groups
- Monitoring Reader for metrics collection
- Log Analytics Reader for log access

Credential Management Interface

Web UI management

Create and manage credentials directly from the Tripl-i web interface.

Credential creation workflow:

Navigate to Settings > Credentials
Click Add Credential
Select the credential type from the dropdown
Fill in the required fields for that credential type
Set the scope and apply tags to organize your credentials
Click Test Connectivity to validate the credential against a target
Click Save to encrypt and store the credential

Additional features:

Syntax validation -- Validates credential fields before saving
Connection testing -- Verifies credentials work against target systems
Duplicate detection -- Warns when similar credentials already exist
Bulk import/export -- Manage credentials at scale
Template library -- Start from pre-built credential templates

API management

Credentials can also be created and managed through the Tripl-i REST API. When creating a credential via the API, you provide:

Name and description to identify the credential
Type (e.g., ssh_key, ssh_password, windows_domain, snmpv3, aws_iam, azure_sp)
Credential fields specific to the type (username, private key, passwords, etc.)
Scope to control which targets the credential applies to, including IP ranges, tags, and exclusions
Settings such as connection timeout, retry count, and rate limiting

CLI management

The Tripl-i command-line interface provides full credential management capabilities:

List credentials -- View all credentials, optionally filtered by type
Create credentials -- Add new credentials with name, type, username, and scope
Test credentials -- Validate a credential against a specific target host
Update credentials -- Modify existing credentials, including password rotation with notification
Delete credentials -- Remove credentials with confirmation

Credential Scoping

Scoping controls which target systems a credential applies to during discovery scans. Tripl-i provides three scoping strategies.

IP range scoping

Define which network ranges a credential covers.

Include rules: Specify IP ranges or subnets the credential applies to (e.g., all internal networks, specific private ranges, or local subnets)
Exclude rules: Carve out specific subnets or hosts that should not use this credential (e.g., management networks, secure segments)
Priority rules:
1. The most specific match wins
2. Exclude rules override include rules
3. Tag-based scopes are applied in addition to IP-based scopes

Tag-based scoping

Assign credentials based on asset tags and properties.

Scope Name	Tag Criteria	Assigned Credential
Production Windows	OS type: Windows, Environment: Production	Production Windows credential
Development Linux	OS type: Linux, Environment: Development	Development Linux credential
Network Devices	Device type: Network, Vendor: Cisco	Cisco SNMP credential

Dynamic scoping

Create rule-based credential selection using conditions. Dynamic scoping evaluates asset properties at discovery time and selects the appropriate credential automatically.

Example rules:

AWS EC2 Instances: When the platform is AWS and the service is EC2, use the AWS discovery role credential
Domain Controllers: When the OS contains "Windows Server" and Active Directory services are detected, use the read-only domain admin credential

Rules can combine multiple conditions using AND/OR logic to match specific infrastructure scenarios.

Security Features

Access control

Tripl-i enforces role-based access control for all credential operations.

Role	Capabilities
Credential Administrator	Create, modify, and delete all credentials. View audit logs. Manage access policies. Export credentials.
Discovery Operator	Use assigned credentials for scans. Test connectivity. View credential metadata. Request access to additional credentials.
Auditor	View credential usage logs. Generate compliance reports. Access audit trails. No direct credential access.

Approval workflow features:

Multi-person approval required for access to sensitive credentials
Time-based access windows that automatically expire
Automatic revocation when access windows close
Emergency access (break-glass) procedures for urgent situations

Audit logging

Every credential interaction is recorded in a detailed audit log that captures:

Event type (access, creation, modification, deletion, rotation)
Timestamp of the event
User who performed the action
Action details (which credential was accessed and for what purpose)
Source IP of the requester
Discovery target the credential was used against
Success or failure status
Session ID for correlation with discovery runs

Credential rotation

Tripl-i supports automatic credential rotation to maintain security hygiene.

Rotation-eligible credential types:

Password credentials
API keys
Cloud access keys

Rotation policy options:

Policy	Rotation Interval
Default	90 days
High Security	30 days
Service Accounts	180 days

Rotation process:

Generate a new credential value
Test the new credential against target systems
Update the discovery engine with the new credential
Verify discovery functionality with the new credential
Revoke the old credential
Notify administrators of the completed rotation

Integration

External vaults

HashiCorp Vault

Tripl-i integrates with HashiCorp Vault for centralized secret management.

Real-time credential retrieval at discovery time
Dynamic secret generation (credentials created on-demand)
Automatic lease management and renewal
AppRole authentication support
Configurable mount paths and namespaces

CyberArk Integration

Tripl-i integrates with CyberArk Privileged Access Management.

Privileged account checkout for discovery sessions
Automatic check-in when discovery completes
Session recording support
Dual control approval workflows
Configurable safe and folder targeting
Timeout management for credential retrieval

Password managers

Tripl-i can synchronize credentials from popular enterprise password management platforms:

1Password Business
LastPass Enterprise
Bitwarden Business
Keeper Security

Synchronization options:

Setting	Description
Sync Direction	One-way import only (password manager to Tripl-i)
Sync Interval	Configurable (default: hourly)
Conflict Resolution	Skip conflicting entries
Categories	Filter by password manager categories (e.g., Discovery Credentials, Service Accounts)

Best Practices

1. Credential hygiene

Use dedicated discovery accounts separate from personal or admin accounts
Implement least-privilege access -- grant only the permissions discovery requires
Conduct regular permission audits to identify and remove excess access
Enable automatic rotation for all eligible credential types

2. Security hardening

Enable multi-factor authentication for credential vault access
Configure IP whitelisting to restrict credential management to trusted networks
Set time-based access windows to limit when credentials can be used
Document and test break-glass procedures for emergency access

3. Operational excellence

Test credentials on a regular schedule to catch expiration or permission changes early
Monitor usage patterns to detect unusual access activity
Document all credentials with clear names, descriptions, and ownership
Maintain an access matrix showing which roles can use which credentials

4. Compliance

Perform quarterly access reviews to verify credential assignments
Conduct annual comprehensive credential audits
Generate compliance reports for regulatory frameworks (SOX, HIPAA, PCI-DSS)
Collect and archive evidence of credential management practices

Troubleshooting

Common issues

Authentication Failures

Symptoms: Discovery fails with authentication errors, connection timeouts, or access denied messages
Diagnosis steps:
1. Test the credential manually against the target system
2. Check the account status (locked, disabled, expired)
3. Verify the account has the required permissions
4. Review security logs on the target system
5. Confirm network connectivity between the discovery agent and the target
Solutions:
- Reset the account password if expired
- Unlock the account if it has been locked out
- Update credentials in Tripl-i if they were changed externally
- Fix permission gaps on target systems
- Whitelist the discovery agent IP in target system firewalls

Performance Issues

Symptoms: Slow credential retrieval, timeout errors, or discovery queue backlog
Solutions:
- Enable credential caching to reduce vault lookups
- Optimize queries to external vault integrations
- Increase the connection pool size for high-volume discovery
- Deploy regional vault instances closer to discovery agents
- Review and optimize credential access patterns

Credential testing

Use the built-in credential testing tools to validate connectivity before running discovery scans.

Windows credentials: Test against a target IP using the Windows credential type to verify WMI access
SSH credentials: Test key-based or password-based SSH connectivity against a target host
SNMP credentials: Test SNMPv3 authentication and privacy settings against a network device

All credential tests can be run from the web interface (Settings > Credentials > Test) or from the CLI with verbose output for detailed diagnostics.

Disaster Recovery

Backup procedures

Tripl-i automatically backs up your credential vault with the following strategy:

Property	Details
Frequency	Daily
Retention	30 days
Encryption	AES-256

Included in backups:

All encrypted credentials
Access policies and role assignments
Audit logs
Vault configuration

Excluded from backups:

Temporary tokens
Active session data
Cache entries

Recovery process

In the event of a credential vault failure, follow these steps:

Restore from backup -- Select the appropriate backup file and provide the recovery key to decrypt and restore all credentials
Validate restoration -- Run a connectivity test against all restored credentials and review the validation report for any failures
Re-encrypt with new keys -- If a key compromise is suspected, re-encrypt all credentials using a new master key with AES-256-GCM encryption

Next Steps

Discovery Patterns -- Custom discovery rules
Scheduling -- Discovery scheduling strategies
Troubleshooting -- Common issues and solutions

Credential Vault Architecture​

Security model​

Encryption standards​

Credential Types​

Windows credentials​

Linux/Unix credentials​

Network device credentials​

Cloud credentials​

Credential Management Interface​

Web UI management​

API management​

CLI management​

Credential Scoping​

IP range scoping​

Tag-based scoping​

Dynamic scoping​

Security Features​

Access control​

Audit logging​

Credential rotation​

Integration​

External vaults​

Password managers​

Best Practices​

1. Credential hygiene​

2. Security hardening​

3. Operational excellence​

4. Compliance​

Troubleshooting​

Common issues​

Credential testing​

Disaster Recovery​

Backup procedures​

Recovery process​

Next Steps​