Credentials
The Credentials feature provides secure storage and management for credentials discovered or created during penetration testing engagements. All credential data is encrypted at rest using per-workspace encryption keys, and every access to full credential details is recorded in the workspace audit log.
How It Works
Credentials are stored within a workspace and can optionally be linked to a specific asset. When you store a credential, the username, password (or key material), and any notes are encrypted before being written to the database. The list view shows only masked usernames for security -- you must explicitly open a credential to see its full details, and doing so creates an audit log entry.
This design ensures that sensitive credential data is protected both at rest and in transit, while maintaining a clear audit trail of who accessed what and when.
Key Actions
Creating a Credential
Navigate to the Credentials section within your workspace and click Create Credential. Fill in the following fields:
| Field | Required | Description |
|---|---|---|
| Name | Yes | A descriptive label for this credential (1--255 characters). |
| Type | Yes | The credential category (see types below). |
| Username | Yes | The username, key name, or identifier (1--500 characters). |
| Password / Key | Yes | The password, SSH key, API token, or certificate data (1--10,000 characters). |
| Notes | No | Additional context such as where the credential was found or how it was obtained (up to 50,000 characters). |
| Linked Asset | No | Optionally associate this credential with an asset in the workspace. |
Credential Types
| Type | Use Case |
|---|---|
| Domain | Active Directory or domain credentials |
| Local | Local system accounts |
| Service | Service accounts and application credentials |
| Database | Database connection credentials |
| Web | Web application login credentials |
| API Key | API tokens and keys |
| Other | Any credential that does not fit the above categories |
Creating, updating, and deleting credentials requires the EditAssets permission. Viewing the credential list and full details requires the ViewAssets permission.
Viewing the Credentials List
The credentials list displays a summary for each credential:
- Name -- the descriptive label you assigned
- Type -- the credential category
- Username (masked) -- the first three characters of the username followed by
***(e.g.,adm***) - Linked Asset -- the associated asset, if any
- Created Date -- when the credential was added
Passwords and notes are never shown in the list view.
Viewing Full Credential Details
Click on a credential to open its detail view, which decrypts and displays all fields including the full username, password, and notes.
Every time you view the full details of a credential, it is recorded in the workspace audit log. This ensures accountability and compliance. The audit entry includes your user ID, the credential accessed, and a timestamp.
Linking Credentials to Assets
When creating or updating a credential, you can select an asset from the workspace to link it to. This association helps you track which credentials belong to which systems. The linked asset is shown in both the list and detail views. Only assets that belong to the current workspace can be linked.
Updating a Credential
Open a credential's detail view and click Edit. You can change any field including the type, username, password, notes, and linked asset. The updated values are re-encrypted before being saved. An audit log entry is created for the update.
Deleting a Credential
Open a credential and click Delete. This permanently removes the credential and its encrypted data. An audit log entry is created before deletion occurs.
Security
Hawkra applies multiple layers of protection to credential data:
- Encryption at rest: All sensitive fields (username, password, notes) are encrypted using a per-workspace Data Encryption Key (DEK). Each workspace has its own unique DEK, so compromising one workspace does not expose credentials in another.
- Masked display: The credentials list only shows a masked version of the username. Passwords and notes are never displayed in list views.
- Audit logging: Every time full credential details are viewed (
credential.view_sensitive), created, updated, or deleted, an entry is written to the workspace audit log with the user ID, action, credential name, and client IP. - Permission enforcement: Only workspace members with the appropriate permissions can access credential data.
Tips & Notes
- Use descriptive names that help you identify the credential without needing to view its full details (e.g., "DC01 Local Admin" or "Jenkins API Token").
- Link credentials to their associated assets to maintain clear documentation of your testing scope.
- Review the audit log periodically to verify that credential access patterns are appropriate.
- When a credential is no longer needed for the engagement, consider deleting it to minimize the amount of sensitive data stored.
- Credential types help you categorize and filter your collected credentials during reporting and remediation phases.