...
Due to the number of rounds used, users may notice slowness or problems connecting to Vault Password Manager when logging in via certain browsers, such as legacy versions of Internet Explorer.
Shared Vaults
Public Key Cryptography
Vault Password Manager leverages RSA public key cryptography to enable users to share Vaults containing credentials with Jira users synchronized via Vault Password Manager application. Both admins and users can share vaults to provide suitable access to Jira organization users or groups without revealing the credentials themselves. Despite being shared through Vault Password Manager, the data remains undecipherable to the platform.
RSA employs asymmetric key algorithms, wherein the encryption key differs from the decryption key. Each user possesses a pair of cryptographic keys: one public and one private. The public key can be shared with anyone for data encryption purposes, while the private key, accessible solely to the user, decrypts data encrypted using their public key.
Upon sharing a vault, a 256-bit encryption key is generated to encrypt the data stored in the shared vault. This encryption key is then encrypted with the public key of each invited individual to the shared vaults and can only be decrypted using the invitee's corresponding private key. The private key is safeguarded by a master key hash with salt (user ID and Recovery Key). Each user device maintains its own distinct private and public keys.
Account Recovery
Since the application does not save the user’s Application Password, it cannot provide conventional password reset options typically available on other web services.
If a user forgets their Application Password, Alpha Serve is unable to retrieve or reset it. However, users have two options:
Self Recovery allows users to create a new Application Password and RECOVERY KEY if they possess an old RECOVERY KEY.
Admin Account Recovery is a process that users can initiate, and any Jira Admins (Admin Group) can complete.
Recovery Key
On desktop browsers, a random Recovery Key is generated on the user's device during account setup. This key encrypts the Vault encryption key (re-generated at login) using AES-128 in CBC mode. The encrypted Vault key is then transmitted to Jira Forge servers, while the Recovery Key is stored locally on the device.
The encrypted Vault key cannot be retrieved from Vault Password Manager until the user initiates account recovery. The encrypted vault key on the Vault Password Manager servers remains secure, as the recovery key is never shared with VAULT.
When Account Recovery is requested and approved by a Jira admin, the encrypted Vault key is downloaded and decrypted locally on the user's computer using the Recovery Key. The user sets a new Application Password, generates a new Vault encryption key and a new login hash, and encrypts his Vault data with the new key. The previous encrypted files are removed from Vault Password Manager servers, rendering the old keys obsolete.
Admins with the system role ADMINISTER and SYSTEM_ADMIN may initiate the process of account recovery which will allow to change the Application Password for employee account.
Safeguarding the Client
The Vault Passwords Manager client operates as a Jira/browser app compatible with all major browsers on Windows, Mac, and Linux platforms. Communication between the client and Jira Forge (VAULT) servers utilizes TLS connections.
Browser-based connections receive additional protection through browser security measures. HTTP Strict Transport Security (HSTS) mandates all connections to use TLS, reducing the risks associated with downgrade attacks and misconfiguration. Content Security Policy headers offer extra defense against injection attacks, including cross-site scripting.