What kinds of encryption keys are used?
For the Crypteron managed security platform, the key hierarchy is as follows:
- Data is encrypted by separate, versioned data encryption keys (DEKs)
- Every DEK is encrypted with key-encryption keys (KEKs)
- KEKs are encrypted by an elliptic curve master encryption key (MEK)
- KEKs are signed by another distinct elliptic curve master signing key (MSK)
- Both the MEK and MSK are based on the SECP521 NIST curve which exceeds the Department of Defense’s Top Secret requirements.
For enterprise-self hosted plans, which typically target a single application / single tenant scenario, each application gets its own elliptic curve master encryption key (MEK) and master signing key (MSK). The DEKs are stored inside a NoSQL datastore, the keychain file. The keychain file is protected by the MEK and MSK and as such is always encrypted.
Who has access to keys?
For the Crypteron managed security platform, Crypteron uses multiple layers of encryption so that no one at Crypteron has direct access to any data encryption keys (DEKs) or key encryption keys (KEKs). To balance business continuity reasons with limited distribution, only the CEO and CTO have access to the master elliptic curve encryption key and only the CEO has access to the master elliptic curve signing key.
For enterprise, self-hosted plans, the customer organization controls key access – typically the CTO or security manager. Crypteron has no access to any keys.
Where are the keys stored?
For the Crypteron managed security platform, storage is as follows:
- The encrypted DEKs are kept in a secure database. They are encrypted at-rest as well as in-transit.
- The encrypted KEKs are stored in an internal NoSQL datastore. They are encrypted at-rest as well as in-transit.
- The master elliptic curve encryption key (technically the private key for decryption) is stored on the application server inside a secured certificate vault. A long term, encrypted copy is stored on an offline encrypted volume for business continuity purposes.
For enterprise self-hosted plans, the organization controls how keys can be stored. Typically it is as follows:
- The encrypted DEKs are stored in an internal NoSQL datastore – the keychain file, which can be on the application server OR an external file or blob server. Such underlying storage can technically be be untrusted since the keychain is always encrypted.
- The elliptic curve keys are stored on the application server inside a secured certificate vault. We recommend keeping a long term encrypted copy at a secure location for business continuity purposes.
How are keys backed up?
For the Crypteron managed security platform, the data recovery plan includes hourly checkpoints spanning over a month with additional longer term backups outside that boundary. The data is also triple replicated across fault zones on the US West coast and is actively mirrored in another data center on the US East coast to protect against earthquakes etc. At the minimum, there are 6 coherent copies of the data for redundancy and fail over. As a reminder, all of the above is fully encrypted in-transit and at-rest.
For Crypteron’s enterprise self-hosted plan, the organization runs everything on their own infrastructure, fully isolated from the public internet and so must have their own data recovery plan. We recommend keeping multiple copies of the keychain file, which is always encrypted. We also recommend secure storage of the master elliptic curve encryption and signing keys.
How is key custodian enabled to protect the keys?
For the Crypteron managed security platform, customers should only have their security officer (or equivalent) access the Crypteron management portal. From this portal, the security officer can perform all the duties expected off a key custodian ranging from high level start/stop of the key management server to low level access controls on individual keys.
How is the security of key storage ensured?
Keying material stored in key storage is itself always encrypted and those encryption keys are stored physically separate from the key storage. Please see above for details.
How will split-knowledge and dual-controls for rotation and deletion be supported?
Crypteron will be supporting this via multifactor authentication of certain privileged operations like the above.
What is supported for access auditing, logging, and strong access controls?
Changes to an app’s security partitions (e.g. rolling over a key) are logged for audit purposes. Additional logging events are in development for our higher grade plans.
What SLA does Crypteron provide?
For the Crypteron managed security platform, paid plans have a 99.95% SLA with prorated service credit to customers. Free or trial plans do not have an SLA.
For the enterprise self-hosted plan, the customer organization is responsible for its own SLA.
For more details, view our complete Service Level Agreement.
Does Crypteron maintain a Business Continuity Plan?
Crypteron maintains a confidential business continuity plan to support it’s mission of always-on services. Every major role has both a primary as well as a secondary person with an emergency action plan and emergency contact list.
And since we’re asked during compliance checklists; in the extremely unlikely case Crypteron that decides to discontinue it’s data security platform, we are committed to providing every paid subscription the ability to continue operations via one or more options such as: providing a self-hosted solution or exporting the encryption keys or provide sufficient notice to allow decryption of data for migration into another system etc.
Where is your FIPS 140-2 report?
The NIST website has the FIPS 140-2 report for the underlying Cryptographic library under certificate 2356 and 2357. Our entry level plans are not FIPS 140-2 enabled.