You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Create a Master Password

Introduction

When EmpowerID is installed in an environment, it generates a unique root certificate authority (CA). This CA issues personal certificates for encrypting and decrypting data linked to a person and for utilizing the Privileged Access Management (PAM) feature of EmpowerID. The first time a user creates a secret or attempts to check out shared credentials, EmpowerID prompts them to create a master password for encrypting and decrypting their secrets.

Understanding the Master Password Mechanism

Upon entering a password, it becomes the user's master password. EmpowerID then uses this master password to generate a public/private key pair certificate for the user. The public key is linked to the user, while the private key is encrypted with the master password using AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes. For security, the master password is discarded immediately, and EmpowerID keeps no record of it. This ensures only users can access their credentials, as neither administrators nor the EmpowerID system can retrieve the master password.

Purpose of the Master Password

The master password is essential for establishing a PKI (Public Key Infrastructure) key associated with the user's identity, enabling data encryption and decryption. When using PAM for the first time or creating a secret, the user must generate a master password. Subsequently, the master password will be used to unlock passwords, secrets, or credentials.

Steps to create a master password

  1. Using the EmpowerID navbar, navigate to Privileged Access > Secrets and Personal Creds.

  2. Select the Privileged Access tab and expand the Secrets accordion.

  3. Click Create Master Password.

     

  4. Enter a password in the Password and Confirm Password fields and click OK. Please note that this password cannot be the same as the password you use to authenticate to EmpowerID.

     

    You should see a message stating that the request has been completed. 

     

Â