Storing credentials in local environments securely

Some applications require access to passwords stored in a plain text file. To mitigate security risks, it is recommended that you take the steps described in this article to prevent bad actors from accessing password text files.

Mitigation strategies for plain text passwords

If storing passwords in a plain text file is unavoidable due to application constraints, consider the following security measures described in this section.

Restricting file access with strict permissions

Ensure that only the necessary users and processes have read access to the file.

Use OS-level access controls (e.g., Linux chmod and chown or Windows NTFS permissions).

Linux example

bashCopyEditchmod 600 /path/to/password-file # Read-write for owner onlychown root:appuser /path/to/password-file

Windows example

Uses icacls to set permissions.

powershellCopyEditicacls C:\path\to\password-file /inheritance:r /grant:r "Administrator:(R)"

Protecting backups and logs

Ensure that backups do not include the password file in plain text. Disable logging of sensitive data by configuring logging frameworks appropriately.

Storing the password text file

The following are recommendations for storing the password text file:

Do not store the file in a public, shared, or user-accessible directory, such as Desktop, Downloads, or network share.
Store the password file in a secure, isolated location in a dedicated, non-shared directory.
Store in an encrypted partition, for example LUKS on Linux and BitLocker on Windows.
Store with restricted access, for example:
- Linux (with root-only access): /etc/app_secrets/
- On Windows (with admin-only access): C:\ProgramData\AppSecrets\

Ensuring laptop security controls

Because a laptop is used by one person, employ these security measures that are related to the user's actions and habits:

Enable full-disk encryption (BitLocker for Windows, LUKS for Linux, FileVault for Mac). This protects the data in the event the laptop is lost or stolen.
Enforce the use of strong login passwords and multi-factor authentication (MFA).
Enforce user locking of the laptop when unattended.

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.