Skip to content

Credential Vault Security

Overview

The Credential Vault is a microservice dedicated to the secure handling of sensitive keys and credentials used during pentesting sessions. It ensures that credentials are decrypted only when needed and stored in volatile memory during use.

Design

flowchart LR
    %% Actor
    User[User]

    %% Core Services
    N8N[n8n Workflow Engine]
    PG[(PostgreSQL<br>Encrypted Credentials)]
    Vault[Credential Vault API<br>Fernet + HTTPS]
    Kali[Kali Linux Executor<br>Docker Container]

    %% Runtime Storage
    TmpFS[/tmp tmpfs<br>RAM only storage/]
    CredDir[/tmp/pentest_id/credentials<br>RAM only/]

    %% Auth
    APIKey[X-Api-Key<br>User scoped]

    %% Main Flow
    User -->|1. Create pentest with credentials| N8N
    N8N -->|pentest_id returned| User

    N8N -->|2. Store credentials<br>Fernet encrypted| PG

    N8N -->|3. Request credentials<br>HTTPS + X-Api-Key| Vault
    APIKey --> Vault
    Vault -->|Decrypt credentials<br>User access enforced| N8N
    Vault -->|Encrypted at rest| PG

    N8N -->|4. Ensure Linux user<br>Generate SSH key if missing| Kali

    Kali -->|5. Create isolated folder| TmpFS
    TmpFS -->|/tmp/pentest_id<br>uid gid restricted| CredDir

    N8N -->|6. Write credentials<br>RAM only never on disk| CredDir

    N8N -->|7. Execute commands<br>SSH user scoped| Kali

    %% Security Properties
    subgraph Security_Guarantees
        S1[Per pentest Linux user]
        S2[SSH execution per user<br>No privilege escalation]
        S3[tmpfs and dev shm<br>No persistent storage]
        S4[Credential access limited<br>by X-Api-Key ownership]
    end

    Kali --- S1
    Kali --- S2
    CredDir --- S3
    Vault --- S4

Security Guarantees

1. Encryption

  • Fernet Encryption: All data handled by the vault is encrypted using Fernet (AES-128 in CBC mode with HMAC-SHA256) before touching the database.
  • Key Management: Use of a dedicated VAULT_MASTER_KEY injected at runtime.

2. Ephemeral Storage

  • When credentials are required for a pentest (e.g. by a Kali agent), they are written to a tmpfs (RAM-only) volume.
  • No Disk Persistence: Sensitive credentials never touch the physical disk of the host or the container, mitigating forensic recovery risks.
  • Automatic Cleanup: Credentials in RAM are cleared after the task execution completes.

3. Access Control

  • Per-Pentest Isolation: Credentials are scoped to specific pentest IDs.
  • Strict API Access: Only authenticated services (Manager, N8n) with valid API keys can request decryption.