Automating Machine Credentials Management

The Center for University IT Rhineland-Palatinate (ZIT RLP), situated in Koblenz, Germany, is integral in implementing, operating, and supporting central applications for seven higher education institutions in the region. Their core activities encompass advising on IT planning, software introduction coordination with a focus on campus management, and ensuring data protection and IT security among other tasks. They play a vital role in maintaining the integrity and security of digital infrastructure, predominantly revolving around Linux systems, Windows deployment, and management systems for higher education institutions. ZIT RLP operates around 450 VMs. The hosted universities collectively have about 40,000 students who, at some point during their studies, will use the campus management systems provided by ZIT RLP, with each university having its own instance of the system.

Before transitioning to Passbolt, ZIT RLP used the cloud-only 1Password. They were looking for an alternative that allows for seamless management and sharing of machine credentials aka secrets among team members. The majority of credentials managed are classic User/Password credentials, accompanied by some API tokens and a few OpenPGP keys, while SSH private keys are securely stored on hardware tokens, showcasing a diverse range of credential types managed within their system. Their main use case is to add a new secret and then share it with a colleague or have colleagues request a machine credential.

Furthermore, the off-premise nature of 1Password and its operations outside the European Union posed challenges due to privacy concerns. The requirements of ZIT RLP also included on-premises deployment and open-source code to have full control over data and the system, also for quick patches or customizations. Additionally, they desired API functionality for automation in infrastructure operations and a streamlined solution for managing machine credentials effectively.

Passbolt stood up to the meticulous scrutiny of ZIT RLP, a team of IT experts. It meets their high standards required for managing secrets collaboratively. The collaboration features worked as advertised and were the main reason for them to choose Passbolt. The ease of use for tech-savvy users, including access via Command Line Interface (CLI), was another significant factor in choosing Passbolt.

ZIT RLP opted for the commercial edition of Passbolt due to additional functionality. They host Passbolt on their own Linux-based infrastructure which comes with readily available services, operations and maintenance features such as databases, backups and disaster recovery. Passbolt fit in very well and was easy to install. The manual migration process from 1Password to Passbolt initially involved transferring 200 credentials. Once on Passbolt, the total number of unique secrets quickly expanded to around 600, showcasing the ease with which they could manage and add new credentials using Passbolt.

With two teams comprising a total of 12 users, they are now actively using Passbolt for 1 year. Despite having access to Passbolt’s professional support, their technical acumen enabled ZIT RLP to sort out everything independently, without needing to reach out for support.

Given the successful implementation and proven effectiveness of Passbolt, ZIT RLP has plans to leverage the API for automation with Puppet.

The adoption of Passbolt significantly streamlined the collaborative management of secrets at ZIT RLP. While Passbolt remains invisible to the end users of the infrastructure provided by ZIT RLP to universities, it has significantly contributed to its uptime and newness through regular updates, which in turn has led to high satisfaction levels among IT professionals and decision-makers within ZIT RLP, lauding Passbolt's reliability.

The user-friendly nature of Passbolt and its API functionality have resulted in time-saving and efficient management of machine credentials. The password collaboration features, a pivotal reason for choosing Passbolt, have proven effective in real-world usage within the organization.