Concept
Credential Vault
The central credential store on the SHA: encrypted at rest, scoped per appliance, with connection tests - and every supported credential type and its options.
Overview
The Credential Vault is the single central credential store on the SHA, managed under Settings, Credentials. All source-platform, storage, identity, and notification credentials live there.
Credentials are encrypted at rest with AES-256, are never displayed back after saving (sensitive fields show as a masked value), and every action on them is audited. Managing the vault requires an authenticated login.
Scope Decides Which Appliance Uses A Credential
Every credential has a scope that determines which SNA uses it. Sites and appliances do not store credentials themselves - the association comes from the scope. Platform credentials are forwarded to the SNA only for the duration of a request and are never stored on it, so the SNA must be able to reach the source platform on the network.
Testing, Rotating, And Deleting
- Test: types that support it show a Test Connection control and store the result as a Verified, Failed, or Untested badge. NFS, CIFS/SMB, and Remote Host SSH validate inputs but do not run a live test.
- Rotate a password: edit the credential and enter only the new secret; blank fields keep their stored values.
- Deactivate: mark a credential inactive to stop it being used without deleting it.
- Delete: deletion is immediate and is not blocked when a credential is in use, so dependent operations fail at next use. Check usage first, and prefer deactivating when unsure.
No automatic rotation
Sendense does not rotate credentials on a schedule. Rotation is an operator action - edit the credential and enter the new secret.
Source Platform Credentials
Storage Credentials
Identity, Notification, And Host Access
Related Docs