Skip to main content

Encryption at Rest

All our applications and services have industry-standard encryption at rest.

  • All the sensitive data provided by our clients (repository access keys, VPN credentials, etc.) is encrypted using the symmetric algorithm of our key management system (KMS). This algorithm is based on Advanced Encryption Standard (AES) in Galois Counter Mode (GCM) with 256-bit private keys. AES256 is the US government standard encryption algorithm used to protect top-secret information. Additionally, client data is also protected using HMAC with SHA-256 hashes.

  • All our domain names are protected with DNSSEC to ensure that DNS records received by clients are identical to the DNS records published by us.

  • All our clients' code repositories are stored in private, AES256 ciphered redundant data centers.

  • Our exploits are stored encrypted using AES256 keys.

  • All Attacks Resistance Management (ARM) data is stored in an AES256 encrypted database.

  • Most of our encrypted-at-rest secrets are only decrypted in memory, meaning that they are never stored on a hard drive when decrypted. This highly reduces the possibility of a data leakage caused by leaving unprotected files with decrypted secrets stored on hard drives.

  • All our products use our KMS for both development and production secrets.

  • All our Windows laptops have their hard drives encrypted using Bitlocker. A domain controller continuously checks adherence to this policy.

  • All our Linux laptops have their hard drives encrypted from the bootloader using LUKS.