Data Encryption¶
Securing access through encrypted central vault¶
The encrypted centralized vault forms the core of Securden Password Vault for Enterprises. The vault is a completely access controlled, highly available server instance hosted on AWS cloud. While the server manages the business logic, end users can access it through a web browser.
Design of the vault¶
Each customer’s data is completely segregated and stored in the database. Each customer segment can be considered a separate database since each customer’s data in the database will be encrypted using a unique encryption key.
Encryption key management¶
The unique encryption key is generated automatically and stored in Amazon’s Key Management Solution and cannot be accessed by anyone outside your organization. This is ensured by enforcing the use of AWS CloudHSM keystores for encrypting and decrypting the database using the key.
Whenever a customer’s data is in the queue for decryption or encryption, a separate slot is created with the corresponding key. The key is stored in an unextractable form by the key management system within the CloudHSM cluster.
Data integrity¶
An organisation’s data stored in the Securden database cannot be accessed by anyone outside the organization. Even if outsiders try to infiltrate, they get access only to the encrypted data. It cannot be deciphered in plain text without the encryption key.
FIPS compliant¶
Securden Password Vault for Enterprises can be configured to operate in FIPS-compliant mode, ensuring that all encryption processes are performed using FIPS-certified systems and libraries.
Design Highlights
- AES-256 data encryption
- Every new installation is stored in a separate database
- Encryption key is stored in Amazon KMS and all cryptographic operations are handled within a CloudHSM cluster
- FIPS-compliant mode