I’ve seen Enterprise Vaults that support a feature that is called sealing. Usually it works as follows:
- A shared credential is marked as sealed
- Accessing this credential implies to break the seal
- Breaking the seal notifies the/all persons with access to the secret that the secret was accessed by $user
This is useful for emergency or highly critical accounts that mustn’t be used unless there are no other alternatives, e.g. a rescue Domain Admin or local root accounts of virtualization infrastructure.
For implementing this in bitwarden, it may look like this:
- A shared secret has a flag “Sealed” - enabling it warns a user about the implications (accessing the seal is only possible when you are online and notifies all other users of this secret) which has to be acknowledged
- A sealed secret mustn’t be synced to a client / accessing it needs server approval (e.g. in form of a key for decryption)
- Accessing a sealed secret notifies all other users that have access to the seal. A log entry is also created
I’ve seen a lot of feature requirements of businesses regarding password management solutions and sealing is a quite common one.