Seal passwords

I’ve seen Enterprise Vaults that support a feature that is called sealing. Usually it works as follows:

  • A shared credential is marked as sealed
  • Accessing this credential implies to break the seal
  • Breaking the seal notifies the/all persons with access to the secret that the secret was accessed by $user

This is useful for emergency or highly critical accounts that mustn’t be used unless there are no other alternatives, e.g. a rescue Domain Admin or local root accounts of virtualization infrastructure.

For implementing this in bitwarden, it may look like this:

  • A shared secret has a flag “Sealed” - enabling it warns a user about the implications (accessing the seal is only possible when you are online and notifies all other users of this secret) which has to be acknowledged
  • A sealed secret mustn’t be synced to a client / accessing it needs server approval (e.g. in form of a key for decryption)
  • Accessing a sealed secret notifies all other users that have access to the seal. A log entry is also created

I’ve seen a lot of feature requirements of businesses regarding password management solutions and sealing is a quite common one.