Overview
This article answers the following security questions related to keys used for secret encryption.
- What type and length of Key is used for secret encryption? For example, a 32-bit AES key or a 3DES key.
- What mode of encryption is used? For example GCM or CBC.
- Where is this key stored? Is it stored in an Azure Key Vault?
- Is there a master key used for encrypting individual keys? If so, what are the specifications for the master key, and where is it stored?
Applies To
- Secret Encryption
Solution
The following are the answers:
- Auth0 encrypts data at-rest using AES-256. Data in-transit is encrypted using TLS with versions 1.2+ allowed.
- Volume level data encryption is done using AES-256-GCM through AWS EBS encryption. Field-level data encryption is done using AES-256-CBC with symmetric key and HMAC-SHA-256.
- Tenant keys are a 2048-bit RSA key pair that is unique per tenant. Tenant signing keys and secrets are stored encrypted in separate databases. Tenant signing keys are 2048-bit RSA asymmetric signing key pairs that are stored securely using AES 256-bit encryption.
- Customer sensitive data encryption keys and Auth0’s Secure Identity Platform service configuration and secrets leverage the AWS Parameter Store for storage, where each SecureString value is encrypted using AES 256-bit symmetric encryption with customer master keys stored in an AWS KMS.
- A symmetric customer key or the private portion of an asymmetric customer key cannot be exported from the KMS.
- For password hashing, Auth0 uses bcrypt password hashing algorithm with a 128-bit salt and 10 rounds.
- Rules secrets are also with AES-256-CBC and HMAC-SHA-256. However, for Actions secrets AES-256 GCM is used. Secrets related to MFA are also stored with AES-256-GCM.
- Note: field-level data encryption algorithm is expected to change in the future (no defined date yet) from AES-256-CBC + HMAC-SHA-256 to AES-256 GCM.