Exporting Passwords for Secure Offline Access
Password Manager Pro provides multiple export options for secure offline access and safekeeping of password information.
- The basic option is to export password information such as resource name, account name, and passwords in plain text to a spreadsheet.
- The more secure option is to export the passwords to an encrypted HTML file.
- In addition, Password Manager Pro allows auto-synchronization of the encrypted HTML. file to user's mobile devices through Dropbox. Typical use case scenarios for this option include:
- A managed service provider (MSP) using Password Manager Pro to store shared passwords of their clients and technicians; has no access to the application inside the client's network while visiting them.
- Technicians working in DMZs with no access to the application's web UI.
In all the above options, you can export the resources, accounts and passwords for offline access. Administrators can decide which option should be used in their organization. In addition, the export can be enabled or disabled for specific users or user groups based on requirements. However, before configuring user-specific settings for export, the feature should first be enabled globally for all the users.
To configure the settings globally,
- Navigate to Admin >> Settings >> Export Passwords Offline Access.
- In the dialog box that opens, different options related to password export will be displayed. By default, two options - exporting passwords in plain text to .xls and exporting passwords to an encrypted HTML file, will be enabled to all users and administrators. You can disable these options by deselecting the respective check-boxes. The third option, i.e. to allow automatic syncing of encrypted HTML file to user's mobile device through Dropbox, has to be enabled if you want this option.
- Exporting resources in plain text to an .xls file
This option will allow the users and administrators to export resource details in plain text to a spreadsheet. However, in the Export Passwords / Offline Access UI window, you'll find another option "Include passwords in plain text in the exported file". You can disable this option globally prevent passwords from being printed in plain text in the .xls file. Another option "Include files stored under FileStore, KeyStore, LicenseStore resource types and files stored under file additional fields" allows you to choose whether files can be included while exporting in plain text.
- Exporting passwords as an encrypted HTML file
You can export passwords as an encrypted HTML file so as to view the passwords even when there is no internet connection. This offline option is very secure. The contents of the file will be encrypted using AES-256 bit algorithm with the passphrase that the users will be required to provide prior to exporting the passwords. PMP does not store this passphrase anywhere and we recommend you to not store / write it down anywhere either. The HTML file cannot be opened without the passphrase. In case you forget the passphrase, you can export another HTML file. Your passphrase could be up to 32 characters long, including blank spaces.
To ensure that users set strong passphrases for their HTML file, a complexity policy is set by default if the encrypted HTML option is enabled. The default policy will be "Offline Password File".To change this policy, you can select any of the other three default password policies of PMP or the custom policies created by you, if any. You can select the desired policy in the "Encryption Passphrase Policy" field in the Export Passwords UI window.Inactivity logout
You can also specify the inactivity log out time period in minutes, after which the user will be automatically logged out from the offline file while viewing the passwords in the browser. You can specify the timeout period against the text field "Allowed Inactivity Period".
- Enabling auto-synchronization of the encrypted HTML file to mobile devices through Dropbox
If you want to enable this option for the users in your organization, select the checkbox "Allow automatic syncing of encrypted HTML file to users' mobile device through Dropbox". Then, press the link "Test Dropbox connection for this PMP installation". This operation does the necessary background processes to enable users to upload the encrypted HTML file to their Dropbox account. This basically checks the proxy settings (if applicable in your environment) and tries to connect to the Dropbox app named "ManageEngine Password Manager Pro" created by PMP for this purpose.
Also, you can specify the tabs where the export option should be shown. By default, the options will be displayed at two - Resources and Groups, at the extreme right corner in each respective screen. You can select or de-select any location anytime.
User-specific Settings for Export Passwords / Offline Access
To restrict certain users from having one or all the password export options to allow only specific users to have this permission, user-specific settings can be changed from Users >> Export Passwords / Offline Access, after you have selected the desired users for whom settings should be changed. Alternatively, you can also carry out changes for an individual user by clicking on the User Actions icon against that specific user and selecting Export Passwords / Offline Access from the dropdown.
Imposing restriction for users
You can also impose granular restriction for the users while enabling/disabling export password options.
- When allowing users to export passwords in plain-text, you can enforce them to specify a reason for exporting. The reason entered here will be recorded as an audit trail. In addition, you can just allow the users to export the resource name and user account details alone, but prevent them from exporting the passwords in plain-text.
- In the case of exporting passwords as an encrypted HTML, for security reasons, administrators can enforce automatic reset of the exported passwords after a specific time period.
- In case of syncing offline copy to user's mobile devices, administrators can enforce automatic deletion of offline copy from the user's devices after a specific time period. There is also an option to automatically reset the exported passwords immediately after deletion of offline copy from user's devices.
Least privilege model for security reasons
For security reasons, Password Manager Pro adopts "Least privilege" model for users. For instance, lets assume that a particular user is part of three user groups and there is group level restrictions for one of the groups - the members of the group are not allowed to export passwords in plain text. In the above scenario even if the user has permission to export passwords in plain text at individual level, the restriction imposed on one of the groups in which the user is part of, will take precedence. This rule applies for all type of restrictions as explained above.
Steps to export resources
The passwords can be exported by users and administrators as per the settings configured by the Password Manager Pro Administrator.
To export resources, navigate to Resources >> Export
Option 1 - Exporting resources in plain text to a spreadsheet
- To export resources in plain text
- Click the button "Export" present in the Resources tab and select "In Plain text" from the drop down.
The resources are exported to a file and it is shown as a pop-up. Save the file in a secure location in (.xls) format.
Option 2 - Exporting Resources as an Encrypted HTML file
- To Export Resources as an Encrypted HTML file
- Click the button "Export" present in the Resources tab and select "As Encrypted HTML" from the drop down.
- A UI will open. You have to specify a passphrase in accordance with the password policy enforced by your administrator that will be used for encrypting (AES 256) the HTML file for offline access.
- You can also open the file in any web browser by simply providing the same passphrase and remember that Password Manager Pro does not store the passphrase anywhere and so if you forget the passphrase, you cannot open the file. And we also recommend you not to store or write down the passphrase anywhere.
- Confirm the passphrase and enter a reason for exporting the passwords.
The resources are exported to a file and it is shown as a pop-up. Save the file in a secure location in (.html) format.
Option 3 - Automatically syncing the encrypted HTML file to user's mobile devices through Dropbox
- To automatically sync the encrypted HTML file to mobile through Dropbox
- Click the button "Sync Encrypted HTML to my mobile" from Export Passwords present in the Resources tab.
- When you attempt this option for the first time, you will be directed to authorize Password Manager Pro to sync with Dropbox.
- On clicking the "Authorize" button, you will be redirected to Dropbox service and after logging in to Dropbox, you have to authorize Password Manager Pro to upload the password file to your Dropbox account.