Tanflow PAM · Capability
Credential Vault
Privileged passwords live encrypted in the vault, rotate on schedule, and are injected into sessions - no human ever needs to know root again.
Overview
Centralise every privileged credential
The vault is the heart of Tanflow PAM: AES-256 encrypted storage for every privileged credential - root passwords, Windows admin accounts, database users, SSH keys - with check-out workflows, automatic rotation and seamless injection into gateway sessions.
AES-256 encryption at rest with strict role-based access to vault entries; every retrieval is logged.
Rotate passwords and SSH keys on schedule or after every use - targets updated automatically through the gateway.
Credentials flow from vault to target inside the session broker. The connecting user never sees, copies or types them.
Where explicit release is required, time-boxed exclusive check-out with automatic rotation on check-in.
Sealed emergency credentials with multi-approver unlock and mandatory post-incident review.
Inventory and rotate the non-human credentials scattered through scripts, schedulers and integrations.
Why it matters
Outcomes you can put in front of an auditor
- Compromised-credential blast radius collapses - passwords rotate and were never shared
- Leaver risk eliminated: people leave, credentials rotate, access dies
- Every credential retrieval attributable to a named person and purpose
- Break-glass procedures that stand up to audit scrutiny
- Direct evidence for PCI DSS Req. 7/8, ISO 27001 A.9 and RBI credential-management asks
Part of Tanflow PAM
This capability is built into Tanflow PAM - the zero-agent privileged access platform that deploys in 2-4 weeks on your infrastructure.
Explore the full platform →FAQ
Common questions
Where do the encryption keys live?
In your deployment, under your control - with support for hardware-backed key storage where available. Tanflow is an on-premises platform; no vault material ever leaves your environment.
Can applications retrieve credentials programmatically?
Yes - a scoped, authenticated API lets applications and scripts fetch short-lived credentials instead of embedding passwords in code.
See Credential Vault in action
A focused demo against your environment and your compliance requirements.