Managing the credential vault

The appliance credentials used to log in to discovery targets, synchronize to the CMDB, and export data using adapters are stored in a vault that is encrypted with a default passphrase when the appliance is built. If the passphrase is lost, the contents of the vault cannot be recovered. The default vault passphrase is persisted on the appliance, and is common to all appliances, therefore it is highly recommended, and considered security best practice, to secure the vault with a manually entered passphrase. Without a manually entered passphrase the vault is only guarded against casual inspection, in which case vault security is dependent on Linux command line security.

You can configure a replacement passphrase for the appliance vault instead of using the default. However, we strongly recommend that you use the default to avoid any access issues due to an incorrect passphrase. Once configured, the passphrase is required every time the discovery process is run.

When the passphrase is set, the vault is automatically in a locked state when the appliance starts, and requires the passphrase to be unlocked. The encryption key used for encrypting the vault is derived from the passphrase. The passphrase can be stored on the appliance, which enables you to perform scans when the credential vault is open, without re-entering the passphrase. If the passphrase is saved, it is stored in the vault. If the vault is closed, you must enter the passphrase manually to open the vault.

The default passphrase used is a random string of 64 characters/512 bits to generate a 256 bit key. If you decide to use a manually entered passphrase you should ensure that it is of at least a similar complexity, or that it is changed at regular intervals. The content of the vault is secured using 256 bit AES encryption in CBC mode.

Only users with Discovery or Administration privileges have read/write access to the vault, with read access limited to non-sensitive information only (passwords can never be seen in the UI or at the command line).

 For further details, see Information security.

Related topics

Credentials are not shared between vaults. That is:

  • A discovery scan from an appliance can only use credentials from its own vault.
  • A discovery scan from a BMC Discovery Outpost can only use credentials from its own vault.

The credential vault can be open or closed. If no passphrase is set or the passphrase is saved, the vault is opened automatically when BMC Discovery starts. If a passphrase has been set and not saved, you will be prompted to enter it before Discovery can begin. While the vault is open, BMC Discovery  can use the credentials stored in it to access devices.

When BMC Discovery is stopped, the vault is automatically closed if a passphrase is set and has not been saved. You can close the vault while the discovery process is in progress. This will prevent access to further devices during the current discovery runs.

Whenever a credential is added, removed, or changed, the vault is backed up. No more than two copies of the vault are held as back ups. When the vault passphrase is added, changed, or removed, all backups are deleted, ensuring that no backups of potentially less secure vaults are retained on the system.

To manage the credential vault

  1. From the main menu, click the Administration icon.
    The Administration page is displayed.
  2. From the Discovery section, click Vault Management.
    The Vault management page is displayed.

From the Vault management page you can open or close the credential vault and specify a passphrase to secure it. You can also change the passphrase or remove it.


If you set a passphrase for the credential vault, ensure that you remember it or store it securely. If you lose or forget the passphrase, you cannot reset or recover it. To get back access to the vault, you must empty the vault, causing a loss of credentials stored in it. 

Setting a passphrase

To set a passphrase:

  1. Enter the new passphrase in the New Passphrase field.
  2. Repeat it in the verify New Passphrase field.
  3. You can also choose to save the passphrase so that it is not required whenever scanning is enabled. You must still enter a passphrase to open a closed credential vault. To do so, select Save Passphrase.
  4. Click Set Passphrase.
    The passphrase is now set.

Changing a passphrase

To change a passphrase:

  1. Enter the new passphrase in the New Passphrase field.
  2. Repeat it in the Verify New Passphrase field.
  3. Click Change Passphrase.
    The passphrase is now changed.


Setting or changing a passphrase does not change whether the vault is open or closed.

Clearing a passphrase

To clear a passphrase:

  1. Enter the current passphrase in the Current Passphrase field.
  2. Click Clear Passphrase.
    The passphrase is now cleared.

Opening the credential vault

To open a closed credential vault:

  • Enter the passphrase and click Open the Vault.
    You are requested to confirm the operation.

You can also open the credential vault from the Discovery Home page. When BMC Discovery is not running and the vault is closed, a Passphrase entry box is displayed above START LOCAL SCANS.

Closing the credential vault

To close the vault, it must be open and have the passphrase set:

  • Click Close the Vault.
    You are requested to confirm the operation.

You can also close the vault from the Discovery Home page. When BMC Discovery is running and a passphrase is set, stopping BMC Discovery also closes the vault.

See the following video (07:33), which explains how you can add, edit, test, and manage credentials. You can also explore the functioning of credential vaults and learn how to close, open, export, and import the vault.

Was this page helpful? Yes No Submitting... Thank you