SecretStore includes an optional enhanced protection setting that a user can apply to each secret. Enhanced protection means that a user's secret is not only protected from the view of others, but it becomes locked when an administrator changes the user's eDirectory password or other login credentials.
For example, suppose a network administrator attempted to view another user's secrets by changing the user's eDirectory password and then logging in as that user using the new password. The administrator would be unable to view the secrets that are flagged with enhanced protection because the SecretStore becomes locked. If the administrator attempted to unlock the secrets, he or she would be prompted to enter the user's previous eDirectory password, rather than the new one that the administrator created.
Secrets can be unlocked with the last valid eDirectory password that the user entered using a user-initiated Change Password request. As a result, even if the user or administrator changes the eDirectory password several times after the secrets have been locked, the status of the locked secrets is not affected.
The other method of unlocking the SecretStore is to supply the Master Password for SecretStore. Master Password is designed to prevent the loss of secrets when administrator password change has been the result of the user forgetting the eDirectory password. Master password should be set by the user before SecretStore gets locked. The Master Password also is the method to unlock the store if non-password login credentials were changed by the administrator (such as issuing new Smart Card, Proximity Card, or other similar devices.).
In addition, SecretStore supports an optional password to be validated before access to a particular application secret is granted. These optional passwords are set by applications that are used in conjunction with the enhanced protection feature as an additional access control on the secret. A password can be used at secret creation time and should be supplied at retrieval time. These passwords can be a maximum of 64 characters long. This additional access control method allows an application to prevent other applications of the same user to read its secret.
To read those secrets that have the enhanced protection feature turned on and that use the optional enhanced protection password feature, the application must provide the password for reading the secret out of the SecretStore. Failure to provide the correct password that was used at the time of creation of the secrets results in NSSS_E_EP_ACCESS_DENIED error. Consequently, the applications or rogue programs can't read enhanced protection enabled secrets with enhanced protection passwords on them.
Another feature for Enhanced Protection is the ability to create hidden secrets. These secrets are not shown when NSSSEnumerateSecretIDs is called and NSSSGetServiceInformation returns their count. An application that creates a hidden secret can only read that secret by supplying its SecretID, which is known only to that application and was used to create the secret. Without knowing the secret ID, the only way to remove a hidden secret is to remove the SecretStore.