Exporting Passwords for Secure Offline Access
PMP provides multiple export options for secure offline access and safekeeping of password information.
- The basic option is to export the resource name, account name and passwords in plain-text in a spreadsheet
- The more secure option is to export the passwords to an encrypted HTML file
- There is also provision to automatically synchronize the exported HTML file to users' mobile devices through Dropbox. Typical use case scenarios for this option include:
- A managed service provider (MSP) using PMP to store shared passwords of their clients and technicians visiting clients with no access to PMP installed in their network
- Technicians working in DMZs with no access to PMP web interface
Administrators can decide which option (encrypted HTML or auto-sync to mobile devices) to be used in their organization. In addition, the export can be enabled or disabled to specific users or user groups based on requirements.
In all the options above, you can export the resources, accounts and passwords for offline access.
Administrative Setting for Exporting of Passwords
Administrators have to determine whether to allow the users in their organization to export passwords using any of the three options. Administrators can change this setting anytime on need basis. The settings done here take effect globally for all users and administrators.
This can be done from Admin >> Customize >> Export Passwords - Offline Access GUI.
By default, the first two options - exporting passwords in plain-text to .xls and exporting passwords to an encrypted HTML file have been enabled to all users and administrators. You can disable this permission by deselecting the respective check-box. The third option to allow the users to export the passwords to encrypted HTML file and automatically sync it users' mobile devices through Dropbox has to be enabled if you want this option.
Settings for exporting resources in plain-text to a .xls file
While allowing the users and administrators to export the passwords, you have the option to just export the resource and account details alone and prevent the passwords from being printed in plain-text in the .xls file. This can be done by deselecting the check-box "Include passwords in plain-text in the exported file".
Settings for exporting passwords in encrypted HTML file
Password Policy for offline copy
You can export passwords to an encrypted HTML file so as to view the passwords even when there is no internet connection. This offline option is very secure. The contents of the file for offline access will be encrypted using AES-256 bit algorithm with the passphrase supplied by the users when exporting the passwords. PMP will not store this passphrase anywhere.
As the name itself indicates, the passphrase is different from the usual passwords. Since these phrases are not stored anywhere, it is necessary that you should be able to remember them. A weak passphrase is not desirable from the standpoint of security. Your passphrase could be up to 32 characters long, including blank spaces.
Administrators can enforce standard policies for specifying the passphrases. The required policy can be selected from the three default password policies of PMP or the custom policies created by you, if any. You can select the desired policy here in the "Encryption Passphrase Policy". PMP has created a policy named "Offline Password File" and this policy is enforced by default.
You can also specify the inactivity log out time period in minutes, after which the user will be automatically logged out from the offline file while viewing the passwords in the browser. You can specify the timeout against the textfield "Allowed Inactivity Period".
Settings for syncing encrypted HTML to mobile devices through Dropbox
If you want to enable this option for the users in your organization, select the checkbox "Allow automatic syncing of encrypted HTML file to users' mobile device through Dropbox". Then, press the link "Test Dropbox connection for this PMP installation". This operation does the necessary background processes to enable users upload the encrypted HTML file to their Dropbox account. This basically checks the proxy settings (if applicable in your environment) and tries to connect to the Dropbox app named "ManageEngine Password Manager Pro" created by PMP for this purpose.
Also, you can specify the places where the export option should be shown. By default, the options would be displayed at three places - Home Tab, Resources Tab and Resource Groups Tab at the extreme right corner. You select or de-select any location anytime.
Important Note: All the above options take effect globally for all users and administrators in the organization. In case, you want enable or disable specific options for specific users, follow the 'User-specific settings' procedure as explained below.
If you want to restrict certain users from having one or all the options of exporting passwords or if you want to allow only specific users to have this permission, you need to do user specific setting from the Admin >> Users >> Export Passwords Settings.
You may select or deselect the check-box against any of the three options to enable or disable specific option. User-specific settings are subject to the global administrative setting as described above. That means, if any of the options had been disabled globally, it cannot be enabled for a specific user alone. Conversely, if the option had been enabled globally, it can be enabled or disabled at will for specific users.
Imposing restrictions for users
You can also impose fine-grained restrictions for the users when enabling/disabling options to export passwords.
- When allowing users to export passwords in plain-text, you can enforce them to specify a reason for exporting. The reason entered here will be recorded as an audit trail. In addition, you can just allow the users to export the resource name and user account details alone, but prevent them from exporting the passwords in plain-text.
- In the case of exporting passwords as an encrypted HTML, for security reasons, administrators can enforce automatic reset of the exported passwords after a specific time period (in days and hours).
- In the case of syncing offline copy to users' mobile devices, administrators can enforce automatic deletion of the offline copy from the users' device after a specific time period (in days and hours). There is also option to automatically reset the exported passwords immediately after deletion of the offline copy from users' devices
Least privilege model for security reasons
For ensuring security, PMP adopts the 'lest privilege' model for users. For example, assume that a particular user is part of three user groups. Also, assume that there is group level restriction for one of the groups - the members of that group are not allowed to export passwords in plain-text. In the above scenario, even if the user has permission to export passwords in plain-text at the individual level, the restriction imposed on one of the groups in which the user is part of, will take precedence. The above rule applies for all types of restrictions as explained above.
The passwords can be exported by users and administrators as per the settings done by the PMP administrator. If you have the permission to export the passwords through any or all of the export options, you will see the "Export Passwords" button in 'Home Tab' or 'Resources Tab' or 'Resource Groups' or in all these tabs at the right hand corner in the GUI (if you are an administrator/password administrator). If your role is 'Password User', you will see this option in the RHS corner of 'Enterprise' tab.
Option 1: Exporting resources in plain-text in a spreadsheet
- Click the link "Export Plain Text (.xls)" of "Export Passwords" button
- The resources are exported to a file and it is shown as a pop-up
- Save the file in a secure location (in .xls format)
Note: If the resources/accounts/passwords contain non-English characters, the application in which you open the exported resources, should support UTF-8 encoding.
Option 2: Exporting passwords as encrypted HTML
- Click the link "Export Encrypted HTML (.html)" of "Export Passwords" button
- In the UI that pops-up, you need to specify a passphrase that will be used for encryting (AES-256) the HTML file for offline access. You will have to specify the passphrase in accordance with the password policy as enforced by your administrator. PMP will not store this passphrase anywhere and we recommend you not to store or write it down anywhere either . The contents cannot be read if you forget the passphrase, but you can create another offline file with a different passphrase. You can open this file in any web browser, supply the same passphrase and access the contents.
- Confirm the passphrase and also enter a reason for exporting the passwords
- The resources will be exported as a HTML file. It will take some time for exporting the resources and the offline copy will be displayed in a pop-up in the GUI.
- Save the file in a secure location (in .html format)
Option 3: Automatically syncing the encrypted HTML to users' mobile devices through Dropbox
- Click the link "Sync Encrypted HTML to my Mobile" of "Export Passwords" button
- When you attempt this option for the first time, you will be prompted to authorize PMP to sync with Dropbox. Upon clicking the "Authorize" button, you will be redirected to Dropbox service and after logging in to Dropbox, you will have to authorize PMP to upload the password file to your Dropbox account. This is a safe and one time procedure to be done to have offline access to passwords in your mobile device.