I'm looking for secure methods to share service account passwords among admins in a completely on-prem environment. I've discovered some paid options like Password Safe and ManageEngine, but I'm curious if they're truly worth the investment. Are there other effective solutions people are using in regulated environments where cloud tools aren't an option? I'm eager to hear your thoughts and experiences. Thanks!
4 Answers
We've opted for multiple KeePass databases sorted by department. It’s a DIY approach but it allows us to control access tightly. However, keep in mind, it requires some script work to maintain passwords actively.
If you're considering paid tools, understand that many are designed for cloud but do offer self-hosted options, like Keeper and Hashicorp Vault. CyberArk is also available but tends to be pricey and complicated for what it offers.
Indeed, CyberArk can be quite a headache based on my experience. It ticks regulatory boxes, but using it can be frustrating.
What about considering Group Managed Service Accounts (gMSA)? They simplify account management by eliminating the need to share passwords altogether, as they don't require a password to function.
I completely agree! It's a great way to avoid the hassle of password sharing.
Have you considered using locally hosted solutions like Vaultwarden or Bitwarden? They can be quite effective for managing service account credentials securely.
Passwordstate is also a great locally hosted option that gets good feedback.
I use Vaultwarden daily, and it works perfectly for my needs!

This method works well for us, and we've had success with red team tests not uncovering the databases.