The native mailboxing approach to securing passwords does work, however it has several limitations. It is limited to specific, known, and existing machines. It isn’t applicable to groups, especially dynamic groups.
If targeting large numbers of machines, encrypting to unique keys for each client becomes an expensive and redundant operation from a server perspective.
Ideally an action, such as password change, would be a policy action targeted to a dynamic group which would remediate both current and future endpoints until the action is stopped. This way none are missed.
An alternative way of securing content, be it passwords or even files, is to take the original premise of the Local User Management site in Bigfix Labs that used OpenSSL and extend it a bit. The original process downloaded OpenSSL bits into a locked down subdirectory of the client, then generated a key pair. The public portion was pulled into an analysis on the server. This facilitated a way to encrypt data to a specific client. This was the basis for what has now become mailboxing.
Creating additional key pairs in OpenSSL and distributing them to groups of clients resolves several of the mailboxing short-comings. Similar to the Local User Management, the encrypted value is decrypted by OpenSSL commands in the action, then piped into a script or application.
Now static or dynamic groups can be targeted. That includes future machines which will eventually join a particular dynamic group. Now a local password action can target a dynamic group as a policy action so that new computers automatically get the update.
Different key pairs can be generated for different groups, sites, and/or operators. This is easy to automate and is cross-platform. The full feature set and options of OpenSSL is at one’s disposal.
Whole files can also be encrypted for distribution in addition to passwords.
IBM Feature Request: Offer an option to create a mailbox and unique key pair for any given group. Then allow that group to be targeted with the mailboxing approach.
A further enhancement would be to allow encryption of complete individual or multiple files to one or more group mailboxes. This could be a few extra options within the existing deployment wizard.