Parascope Docs

Managing Credentials

Create, update, and manage stored credentials used by collectors for authenticated target access.

Parascope stores credentials securely in its built-in credential store for collectors that need authentication to reach their targets — particularly the OS collector, which connects to hosts via SSH. The credential management page lets you create, update, and manage these stored credentials.

Accessing Credential Management

Navigate to SettingsCredentials to manage stored credentials.

Credential Types

TypeUse CaseFields
SSH Private KeyOS collector connecting to Linux hostsUsername, private key (PEM format), optional passphrase
SSH PasswordOS collector for legacy systems without key-based authUsername, password

SSH private key authentication is recommended for security and reliability.

Creating a Credential

  1. Go to SettingsCredentials
  2. Click Create Credential
  3. Enter a name — this is how the credential will be referenced in collection rulesets (e.g., "Production SSH Key", "Staging Password")
  4. Select the credential type (SSH Key or SSH Password)
  5. Fill in the authentication fields:
    • For SSH Key: username, paste the private key content, optional passphrase
    • For SSH Password: username and password
  6. Click Create

The credential is stored securely — never in the database or config files.

Updating a Credential

  1. Select the credential from the list
  2. Click Edit
  3. Update the fields as needed
  4. Click Save

When you update a credential, all rulesets referencing it will use the new values on their next collection cycle. No ruleset reconfiguration needed.

Deleting a Credential

  1. Select the credential from the list
  2. Click Delete
  3. Confirm the deletion

Deleting a credential that is referenced by an active ruleset will cause that ruleset's collections to fail until a new credential is assigned.

How Credentials Connect to Collection

Loading diagram...
  1. A collection ruleset references a credential by name
  2. At collection time, the collector resolves the credential from Parascope's credential store
  3. The credential is used to establish an SSH connection to the target host
  4. Credentials are never logged or exposed in collection results

Credential Resolution Priority

When the OS collector connects to a target, credentials are resolved in this order:

  1. Target-specific credential — If a specific credential is configured for that target host
  2. Ruleset-level default credential — The credential assigned to the collection ruleset
  3. Error — If no credential is available, the target is skipped with an error

Security Best Practices

  • Use SSH keys over passwords whenever possible
  • Use dedicated service accounts for collection — don't reuse personal credentials
  • Rotate credentials periodically — update the credential in Parascope and the corresponding authorized key on targets
  • Use separate credentials for different environments (production vs staging)
  • The collection user needs minimal permissions — read access to system information, not root (though sudo may be needed for some collection sections)

API Tokens and Keys

Authenticate programmatic access to the Parascope API using personal tokens and service keys.

Security Audit Log

Monitor authentication events, permission changes, token operations, and administrative actions for compliance and incident investigation.

On this page

Accessing Credential ManagementCredential TypesCreating a CredentialUpdating a CredentialDeleting a CredentialHow Credentials Connect to CollectionCredential Resolution PrioritySecurity Best PracticesRelated Documentation