Hi all - I see a variety of replies here and I would like to set some things straight from the SailPoint perspective. Source passwords are always encrypted and stored in an encrypted database.
There is no product feature or ability to decrypt these passwords from a customer, partner, or implementer perspective.
For sources that use virtual appliances, these sources leverage a Zero Knowledge Encryption scheme, where the source passwords are encrypted using the virtual appliance cluster’s public key. The SailPoint cloud cannot decrypt these passwords, because we do not have the private decryption key, which is located on the virtual appliance itself. Whenever connectors are run, the connector engine on the virtual appliance will decrypt any encrypted values using the virtual appliance decryption keys, and hand that to the connector that is executing. There is no implementation interaction with any of that.
For sources that use SaaS connectivity, these sources leverage a different encryption scheme which SailPoint has both encryption and decryption keys. The SailPoint cloud can decrypt these passwords, because that is where the connector executes (for SaaS to SaaS communication). When connectors are run, the connector engine in the cloud will decrypt any encrypted values using the virtual private keys, and hand that to the connector that is executing. There is no implementation interaction with any of that.
Rules do not have the ability to call context.decrypt(...) like you can in IdentityIQ. These types of functions have been stripped out of the prototypical contexts in the virtual appliance and in the cloud; this means that nothing will happen. Moreover, rule validations will fail for including these commands. For cloud rules, these will fail rule validation on import if you include these commands. For connector rules, the API will reject rules if that particular method is found.
SailPoint recommends storing a copy of credentials in Privilege Access Management (PAM) or Key Management Systems (KMS) vaults, and cycling source credentials on a routine basis. SailPoint source APIs can be integrated with these types of systems so we can be kept up to date as these credentials change.