When batch files, scripts and other programs have embedded (and usually plaintext) passwords, organizations have three options to move those passwords into the Hitachi ID Bravura Privilege credential vault:

  1. Modify the batch file, script or program to call the Bravura Privilege API to fetch passwords in real time, as required; or
  2. Modify the code which starts the batch process, to first fetch a password from Bravura Privilege, inject it into a local configuration file or as a command-line argument and then run the batch process; or
  3. Have Bravura Privilege modify passwords where they are currently stored whenever it changes them to a new, random value. In this case, neither the batch process nor the mechanism that calls it change.

The first option is clearly more robust and secure, but requires modification to the program that uses an embedded password. Such modification may be too costly (e.g., if there are thousands of such programs) or impossible (e.g., if the program came from a third party who is not willing to make changes).

The second and third options are recommended by Hitachi ID Systems wherever the first is infeasible.

Bravura Privilege supports all of the above options.

Watch a Movie

Hitachi ID Bravura Privilege API CMD


  • Command-line execution of FTP client.
  • Plaintext password replaced with credentials from secure vault.
  • Video shows establishment of trust relationship.

Key concepts:

  • Authentication into Bravura Privilege web services API uses OTP and IP address validation.
  • Wrapper library manages caching, encryption, key generation, serialization.
  • Encryption key generated based on runtime environment.
  • Command-line launcher hides complexity from user.