Encryption at rest | Fluid Attacks Help

Encryption at rest

All our applications and services have industry-standard encryption at rest.

  1. All the sensitive data provided by our clients (repository access keys, VPN credentials, etc.) is encrypted using the symmetric algorithm of our key management system (KMS). This algorithm is based on Advanced Encryption Standard (AES) in Galois Counter Mode (GCM) with 256-bit private keys. AES256 is the US government standard encryption algorithm used to protect top-secret information. Additionally, client data is also protected using HMAC with SHA-256 hashes.

  2. All our domain names are protected with DNSSEC to ensure that DNS records received by clients are identical to the DNS records published by us.

  3. All our clients' code repositories are stored in private, AES256 ciphered redundant data centers.

  4. Our exploits are stored encrypted using AES256 keys.

  5. All our platform's data is stored in an AES256 encrypted database.

  6. Most of our encrypted-at-rest secrets are only decrypted in memory, meaning that they are never stored on a hard drive when decrypted. This highly reduces the possibility of a data leakage caused by leaving unprotected files with decrypted secrets stored on hard drives.

  7. All our components use our KMS for both development and production secrets.

  8. All our Windows laptops have their hard drives encrypted using Bitlocker.

  9. All our Linux laptops have full disk encryption applied from the bootloader using LUKS.

  10. All our Mac laptops have their hard drives encrypted with FileVault enabled.

Requirements

  1. 127. Store hashed passwords
  2. 150. Set minimum size for hash functions
  3. 176. Restrict system objects
  4. 185. Encrypt sensitive information
  5. 224. Use secure cryptographic mechanisms
  6. 356. Verify sub-domain names