Credential Management in Bomgar Remote Support (On-Premises)

Credential Management with Bomgar Vault

Bomgar Vault is an on-appliance credential store, enabling discovery of and access to privileged credentials. You can manually add privileged credentials, or you can use the built-in discovery tool to scan and import Active Directory and local accounts into Bomgar Vault.

Bomgar Vault fits seamlessly with service desk workflow because it is integrated directly with the Remote Support solution. Technicians do not have to learn to use another tool or even exit Bomgar to retrieve passwords. With just one click in the Bomgar representative console, users can simply select the correct credential from the dropdown and log directly into a remote system - without ever having to know or even see the actual password.

Frequently Asked Questions about Bomgar Vault

What communication pathways are used with Bomgar Vault (ports, protocols, connection types, etc.)?

  • Active Directory and Discovery:
    • By default, discovery occurs over LDAP via the Active Directory Service Interface (ADSI) on port 389.
    • If LDAPS is enabled, Active Directory queries run over LDAP under an SSL/TLS layer on port 636, unless another port is specified. This transport-layer security encrypts all data communicated to and from Active Directory.
  • Windows Local Discovery
    • Local Windows accounts are discovered via a series of calls directly to Windows APIs.
    • These APIs use Remote Procedure Calls (RPCs) and named pipes as the network protocol.
    • The RPC process translates the request parameters as well as any response data into a standard, encoded format for transmission.
    • Protection is negotiated at the operating system level.

Where does encryption for Bomgar Vault occur?

  • Passwords and private SSH keys are encrypted at rest using AES-256-GCM in addition to any full disk encryption enabled for the Bomgar Appliance.
  • Passwords and private SSH keys are encrypted in transit using an ephemeral public+private key pair when used for injection. This encryption occurs in addition to Remote Support's use of TLS to encrypt communication among all Bomgar components, such as the appliance, Jumpoint, customer client, etc.
  • Passwords are encrypted in transit by TLS.
  • Passwords used by Jumpoints to authenticate with Active Directory are never sent in plaintext to Active Directory.

Where is the Vault encryption key stored? Can it be accessed via /login or /appliance?

  • The Vault encryption key is needed to decrypt credentials managed by Bomgar Vault. This key is stored on disk in your Bomgar Appliance.
  • For added security and protection, check out Bomgar Remote Support's Data at Rest Encryption functionality at .

  • The encryption key can be backed up by going to /login > Management > Software Management > Backup Vault Encryption Key. The backup file format used for the encryption key is the same .nsb file format used for configuration and reporting data.

Is the Bomgar application database encrypted, and if so, how?

  • Bomgar Vault stores data in an encrypted format in the database. If full disk encryption is enabled for your Bomgar Appliance, the Bomgar application database is also encrypted. However, this is independent of the encryption performed by Bomgar Vault.

What best practices are recommended to maintain the highest level of security across all points of connection (discovery, injections, support, etc)?

  • Bomgar recommends using a valid CA-signed SSL certificate to protect communication among all Bomgar components.
  • Jumpoints should run on a system only a few privileged users have permissions to access.

For more information about Jumpoints, please see Remote Support Jumpoint Guide: Unattended Access to Computers in a Network.

Note: At this time, there are no user-visible security settings for Bomgar Vault.