How to easily manage passwords stored across multiple spaces in Confluence

Thank you for the useful post! 

May I know why we need to collect it in Confluence instead of web-based password managers like passbolt with link special place, or other popular manager keepass , lastpass? 

Cheers,

Gonchik Tsymzhitov

Glad to know it's useful for you! :)

Here are some reasons why:

• It's right at where your team collaborates, so it's contextual.
• You can use Confluence's user and group management to manage access.
• One less external system to maintain (hooray!) when you're already using Confluence
• And reduce that nasty, accidental copy-and-paste of passwords in Confluence!

@Hanis Khaidir [ServiceRocket] Thank you for explaining reasons,

I will be happy if you provide more technical info, like how it is stored in DB, what about which algorithms located used for encrypting it. 

Interesting post. Many thanks 

@Gonchik Tsymzhitov Here's a simple diagram that shows how the encryption works:

Credentials are never sent as plain text and is encrypted using PGP, AES and other security measures. The Secure Info is client specific and is only used to reconfirm the identity and re-authenticate the requesting user.

@Hanis Khaidir [ServiceRocket] Thanks 

Now I started to see OpenPGP message:) 

And one small question why message show me version 1.6.2? IS it trick?

When it will be latest library  https://github.com/openpgpjs/openpgpjs/releases ? 

For example Passbolt for show me OpenPGP 3.0.2 version on test env :  https://www.passbolt.com/release/notes

Cheers,

Gonchik Tsymzhitov

@Gonchik Tsymzhitov we're working on updating that :)

Hello,

We'd love to use your app, I think it's a great approach for any company that already uses Confluence and would like to avoid adding another tool for collaborative password management.

but we're using SSO, so our users don't know their Confluence password.

Any plans for compatibility with SSO in the future?

@Philippe Garcia - absolutely. We're discovering ways to do this. Rather than asking you some questions here, would you mind to fill out a quick survey on this at https://servicerocket.typeform.com/to/Y6MtDq ? Cheers.

@Philippe Garcia just letting you know that the SSO support is already available in the Server/DC app.

And for the rest of the readers here, this app is now available for Cloud too! https://marketplace.atlassian.com/apps/6484/security-and-encryption-for-confluence?hosting=cloud&tab=overview Enjoy!

@Azwandi _ServiceRocket_ , I'm testing the secret-plugin for the cloud-version. I understand that it end-to-end encrypts the text, but I understand that the cloud-databases are encrypted (at rest): https://community.atlassian.com/t5/Confluence-questions/Is-data-at-rest-encrypted-for-Atlassian-cloud-services/qaq-p/159469

And data is encrypted by SSL as well. So it's already decrypted at the browser only. 

The biggest security-issue for us would be some hack that acts as the user. Either some teamviewer/logmein-style tool or dangerous chrome-plugin, whatever. The only solution I could think of is to limit the number of secrets that can be revealed (e.g. per hour) or enter a password to reveal the secret.  

Another thing is that I suppose it makes us depending on your infrastructure, is that right? Do I read from the diagram above 'database' is not the  Confluence-cloud database, but yours? 

So, exactly, what security issues (besides the audit, which is a huge benefit at itself) does this plugin solve exactly?
Thank you!
Robert