Because strongDM is a protocol-aware proxy, we are able to inject credentials during the "last mile" hop between the proxy and the target database or server. As a result, sensitive credentials are always inaccessible to users: they are never transferred to a client in any form.
Credentials are unlocked at runtime using a “dual key” system: only when a cryptographically valid proxy instance requests decryption on behalf of a cryptographically valid user session are they unlocked. Neither the user nor the proxy instance alone are sufficient to decrypt the credential.
Internally, the strongDM credential vault is implemented using the AWS Key Management System. The strongDM implementation fully leverages authenticated encryption with associated data (AEAD) via the KMS Encryption Context. All credential decryption events are written to a tamper-hardened audit log that is owned by a separate AWS account. You can read more about KMS at: https://docs.aws.amazon.com/kms/latest/cryptographic-details/intro.html.