Secret Double Octopus Remote AD Agent 3.1.0 Released with TPM-Based Credential Protection and Security Hardening
On May 8th, 2026, Secret Double Octopus released Remote AD Agent version 3.1.0 following the discovery of a security hardening issue during internal penetration testing activities.
The issue involved the storage of the API client secret used by the Remote AD Agent to authenticate with the AD Service. In previous versions, this secret was stored in plaintext within the local agent configuration file. While access to the file was already restricted to privileged users, an attacker who gained Administrator or LocalSystem access to the host could potentially retrieve the secret directly from disk.
Version 3.1.0 introduces substantial cryptographic and operational hardening improvements designed to better protect credentials and reduce the risk of secret extraction from compromised systems.
Why This Release Matters
- This release is a strong example of proactive security hardening following internal security testing.
- Protecting secrets from post-compromise extraction is a critical component of modern defense-in-depth.
- Organizations using the Remote AD Agent should view this release as a recommended security upgrade.
- Especially important in environments with privileged access, shared infrastructure, or elevated administrative activity.
What Changed in Remote AD Agent 3.1.0
Encrypted Secret Storage
Plaintext client secrets have been replaced with an encrypted envelope architecture using AES-256-GCM encryption and RSA-OAEP-SHA256 wrapping.
TPM 2.0 Integration
The encryption envelope is bound to a non-extractable RSA-2048 keypair stored in the host TPM 2.0, significantly reducing the risk of credential extraction.
FIPS 140-3 Approved Cryptography
All cryptographic operations now utilize FIPS 140-3 approved algorithms and fully support Windows systems operating in FIPS mode.
ACL Hardening
The appsettings.Production.json configuration file is now automatically ACL-hardened to LocalSystem and local Administrators only.
UAC Elevation Requirements
The installation wizard now explicitly requires UAC elevation during deployment to ensure proper system-level configuration and permissions.
Software KSP Fallback
Systems without TPM 2.0 support utilize a software-KSP fallback mechanism. While still non-extractable, this provides lower assurance than TPM-backed protection.
Who Should Upgrade?
- The Remote AD Agent is primarily used by SaaS customers, though some on-premises environments may also utilize the component.
- Any organization currently running the Remote AD Agent should plan to upgrade to version 3.1.0.
Important Upgrade Considerations
| Item | Details |
|---|---|
| In-Place Upgrade | Direct upgrade from 3.0.0 to 3.1.0 is not supported. |
| Migration Process | Organizations must deploy a new agent, reassign the replica configuration, and remove the old agent entry. |
| Service Account Requirements | The service must run as LocalSystem or an account within the local Administrators group. |
| gMSA Support | Group Managed Service Accounts are not currently supported in version 3.1.0. |
| TPM/Hardware Changes | TPM resets, host re-imaging, or hardware replacements will invalidate the encrypted secret and require re-running the setup wizard. |
Recommended Migration Procedure
- Delete the existing Remote AD Agent from the agent host.
- Create and install a new Remote AD Agent through the Management Console.
- Edit the associated replica and select the new agent.
- Unselect the previous agent from the replica configuration.
- Remove the old agent entry from the Management Console.
Need Assistance Upgrading Secret Double Octopus?
DBT provides architecture consulting, deployment assistance, migration planning, and operational support for Secret Double Octopus environments, including passwordless authentication, desktop MFA, Remote AD Agent deployments, and identity modernization initiatives.
This article is provided for informational purposes only. Product names, trademarks, and brands are property of their respective owners. Organizations should review official vendor documentation and test all upgrades within a controlled environment prior to production deployment.