> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/rdm/ribbon-menu-bar/administration/security-providers.md).

# Security providers

{% tabs %}
{% tab title="Windows" %}
The ***Security Provider*** allows for encrypting the workspace content. To access the security provider, navigate to ***Administration – Security Provider***.

{% hint style="info" %}
This feature requires an [advanced workspace](https://docs.devolutions.net/rdm/workspaces/workspace-types/native-workspaces/).
{% endhint %}

Regardless of the selected security provider, passwords stored in workspaces are **ALWAYS** encrypted using AES 256 bit encryption.

When configuring a Certificate Security Provider in a published app environment (Citrix, RemoteApp, XenApp) as a Security Provider, the user who will run Remote Desktop Manager in the RemoteApp environment (Citrix) will require a ***Read permission*** on the certificate.

If the ***Read permission*** is not correctly set, Remote Desktop Manager generates the CryptographicException - Keyset does not exist error dialog. Follow [Certificate Security Provider in a Published app Environment](https://docs.devolutions.net/rdm/kb/how-to-articles/certificate-security-provider-published-app-environment/) to resolve the issue.

Using a security provider ensures that nobody can read entries configuration data, even when people have a direct access to the database(s) or a backup. Team workspaces should always be secured with a security provider.

{% hint style="warning" %}
Prior to applying a new or changing an existing security provider, make sure that every users are disconnected from the workspace. If you are changing an existing Shared Passphrase or Certificate, please note that users will get back access to the workspace when they enter the new Shared Passphrase or Certificate on their computer.
{% endhint %}

### Settings

Note that changing a security provider on a workspace with a great number of entries is a lengthy operation.

{% hint style="warning" %}
Applying a new security provider does process the entire database, therefore we advise you to create a backup prior to this operation.
{% endhint %}

1. Go to ***Administration*** – ***Security provider*** in the ribbon of Remote Desktop Manager.
2. Click on ***Change security settings*** to change the security provider.

   <figure><img src="https://cdnweb.devolutions.net/docs/docs_en_rdm_windows_RDMWin6226.png" alt=""><figcaption></figcaption></figure>
3. Select a security type from the drop-down list.

   <figure><img src="https://cdnweb.devolutions.net/docs/docs_en_rdm_windows_RDMWin6227.png" alt=""><figcaption></figcaption></figure>

<table><thead><tr><th width="216.20001220703125">OPTION</th><th>DESCRIPTION</th></tr></thead><tbody><tr><td>Default</td><td>The XML content stored in the database is not encrypted by default. Please note that the passwords are always encrypted.</td></tr><tr><td>Shared passphrase (V2)</td><td>The security provider encrypts the XML content stored in the database using AES with a passphrase mixed to a private key. The passphrase will be asked once on each machine.</td></tr><tr><td>Shared passphrase (V3)</td><td>The security provider encrypts the XML content stored in the database with a passphrase. The passphrase will be asked one on each machine.</td></tr><tr><td>Certificate</td><td>Set up a Certificate for the Security Provider. Requires elevated privileges.</td></tr><tr><td>Certificate (V2)</td><td>The security provider encrypts the XML content stored in the database using the private key of a certificate.</td></tr><tr><td>Keyfile</td><td>The security provider encrypts the XML content stored in the database using a keyfile provided by you.</td></tr></tbody></table>

### Shared passphrase

{% hint style="danger" %}
If the passphrase is lost, nothing that can be done to recover the data. When using a passphrase, always copy it to a secure location.
{% endhint %}

Entries configuration data is encrypted using a mix of a key stored in Remote Desktop Manager and the passphrase you have entered.

![](https://cdnweb.devolutions.net/docs/docs_en_rdm_windows_RDMWin6228.png)

The passphrase is required only when configuring the workspace. A policy can be enabled to always prompt for the passphrase when connecting to the workspace.

When configuring a security provider with a shared passphrase, you have the choice of whether or not you wish to save it in the registry. Remote Desktop Manager will try first to save it on the LOCAL\_MACHINE, if unable it will save it in the CURRENT\_USER instead.

* **HKEY\_CURRENT\_USER\SOFTWARE\RemoteDesktopManager.shk**
* **HKEY\_LOCAL\_MACHINE\SOFTWARE\RemoteDesktopManager.shk**

If the option is not enabled, then the passphrase is saved locally at the following location:

* **%LOCALAPPDATA%\Devolutions\RemoteDesktopManager.shk**

In a Terminal Services environment, it should be saved at this location:

* **%APPDATA%\Devolutions\RemoteDesktopManager.shk**

In a portable installation of Remote Desktop Manager, the passphrase will be saved at the same location as the portable Remote Desktop Manager instance.

### Certificate

When choosing ***Certificate*** as Security Provider, entries configuration data is encrypted using a mix of a key stored in Remote Desktop Manager and the private key contained in the certificate.

![](https://cdnweb.devolutions.net/docs/docs_en_rdm_windows_RDMWin6229.png)

<table><thead><tr><th width="136.199951171875">OPTION</th><th>DESCRIPTION</th></tr></thead><tbody><tr><td>Location</td><td><p>Indicate the certificate location. Select between:</p><ul><li><strong>Current user</strong></li><li><strong>Local machine</strong></li></ul></td></tr><tr><td>Store</td><td><p>Indicate the store location of the certificate. Select between:</p><ul><li><strong>Other people</strong></li><li><strong>Third-party root Certification authorities</strong></li><li><strong>Intermediate vertification</strong></li><li><strong>Untrusted vertificates</strong></li><li><strong>Personal</strong></li><li><strong>Trusted root certification authorities</strong></li><li><strong>Trusted people</strong></li><li><strong>Trusted publisher</strong></li></ul></td></tr><tr><td>Thumbprint</td><td>Select an existing RSA certificate.</td></tr></tbody></table>

#### Create Certificate

It is possible to create a Self Signed certificate by clicking on ***Create Certificate***.

<figure><img src="https://cdnweb.devolutions.net/docs/docs_en_rdm_windows_RDMWin6230.png" alt=""><figcaption></figcaption></figure>

<table><thead><tr><th width="222.5999755859375">OPTION</th><th>DESCRIPTION</th></tr></thead><tbody><tr><td>Common name</td><td>Name of the certificate.</td></tr><tr><td>Key size (bits)</td><td><p>Indicate the key size (bits) of the certificate. Select between:</p><ul><li>384</li><li>512</li><li>1024</li><li>2048</li><li>4096</li><li>8192</li><li>16384</li></ul></td></tr><tr><td>Valid from</td><td>Start date of the certificate.</td></tr><tr><td>Valid to</td><td>End date of the certificate.</td></tr><tr><td>Saving method</td><td>Save the certificate as a pfx file and secure this certificate with a password. Indicate the location and the store to save the certificate.</td></tr><tr><td>Password</td><td>Specify a certificate password.</td></tr></tbody></table>
{% endtab %}

{% tab title="macOS" %}
The ***Security Provider*** allows for encrypting the workspace content. To access the security provider, navigate to ***Administration – Security Provider***.

{% hint style="info" %}
This feature requires an [advanced workspace](https://docs.devolutions.net/rdm/workspaces/workspace-types/native-workspaces/).
{% endhint %}

Regardless of the selected security provider, passwords stored in workspaces are **ALWAYS** encrypted using AES 256 bit encryption.

When configuring a Certificate Security Provider in a published app environment (Citrix, RemoteApp, XenApp) as a Security Provider, the user who will run Remote Desktop Manager in the RemoteApp environment (Citrix) will require a ***Read permission*** on the certificate.

If the ***Read permission*** is not correctly set, Remote Desktop Manager generates the CryptographicException - Keyset does not exist error dialog. Follow [Certificate Security Provider in a Published app Environment](https://docs.devolutions.net/rdm/kb/how-to-articles/certificate-security-provider-published-app-environment/) to resolve the issue.

Using a security provider ensures that nobody can read entries configuration data, even when people have a direct access to the database(s) or a backup. Team workspaces should always be secured with a security provider.

{% hint style="warning" %}
Prior to applying a new or changing an existing security provider, make sure that every users are disconnected from the workspace. If you are changing an existing Shared Passphrase or Certificate, please note that users will get back access to the workspace when they enter the new Shared Passphrase or Certificate on their computer.
{% endhint %}

### Settings

Note that changing a security provider on a workspace with a great number of entries is a lengthy operation.

{% hint style="warning" %}
Applying a new security provider does process the entire database, therefore we advise you to create a backup prior to this operation.
{% endhint %}

1. Click on Change security settings to change the security provider.
2. Select your new security type from the drop down menu.

<table><thead><tr><th width="215.4000244140625">OPTION</th><th>DESCRIPTION</th></tr></thead><tbody><tr><td>Default</td><td>The XML content stored in the database is not encrypted by default. Please note that the passwords are always encrypted.</td></tr><tr><td>Shared passphrase (V2)</td><td>The security provider encrypts the XML content stored in the database using AES with a passphrase mixed to a private key. The passphrase will be asked once on each machine.</td></tr><tr><td>Shared passphrase (V3)</td><td>The security provider encrypts the XML content stored in the database with a passphrase. The passphrase will be asked one on each machine.</td></tr><tr><td>Certificate</td><td>Set up a Certificate for the Security Provider. Requires elevated privileges.</td></tr><tr><td>Certificate (V2)</td><td>The security provider encrypts the XML content stored in the database using the private key of a certificate.</td></tr><tr><td>Keyfile</td><td>The security provider encrypts the XML content stored in the database using a keyfile provided by you.</td></tr></tbody></table>

### Shared Passphrase

{% hint style="danger" %}
If the passphrase is lost, nothing that can be done to recover the data. When using a passphrase, always copy it to a secure location.
{% endhint %}

Entries configuration data is encrypted using a mix of a key stored in Remote Desktop Manager and the passphrase you have entered.

### Certificate

When choosing ***Certificate*** as Security Provider, entries configuration data is encrypted using a mix of a key stored in Remote Desktop Manager and the private key contained in the certificate.

<table><thead><tr><th width="175.39996337890625">OPTION</th><th>DESCRIPTION</th></tr></thead><tbody><tr><td>Location</td><td><p>Indicate the certificate location. Select between:</p><ul><li><strong>Current user</strong></li><li><strong>Local machine</strong></li></ul></td></tr><tr><td>Store</td><td><p>Indicate the store location of the certificate. Select between:</p><ul><li><strong>Other peopleà</strong></li><li><strong>Third-party root Certification authorities</strong></li><li><strong>Intermediate vertification</strong></li><li><strong>Untrusted vertificates</strong></li><li><strong>Personal</strong></li><li><strong>Trusted root certification authorities</strong></li><li><strong>Trusted people</strong></li><li><strong>Trusted publisher</strong></li></ul></td></tr><tr><td>Thumbprint</td><td>Select an existing RSA certificate.</td></tr></tbody></table>
{% endtab %}
{% endtabs %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.devolutions.net/rdm/ribbon-menu-bar/administration/security-providers.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.