Skip to content

Data Encryption

The design of the vault

Every installation is secured with an automatically generated, unique random key. The key serves as the master key for various encryption operations in the digital vault.

Data storage

All sensitive data gets stored in an encrypted form inside the digital vault. Securden uses the AES-256 algorithm to do the encryption.

  • The sensitive data provided as input to the Securden server is encrypted using the unique installation key. This happens at the application level.

  • The encrypted data is securely stored in the database.

Data integrity

  • The encryption key cannot be held together with the encrypted data.

  • The encryption key is needed only for starting the Securden Password Vault. It has to be kept somewhere outside and made available to the Securden server during startup.

Even if the database gets into a malicious user’s hands, sensitive data cannot be deciphered in plain text without the installation key.

Database connections

The database accepts only secure connections. Clients can connect only from the same localhost. In high availability configuration, where the server and the database run on different servers, the database accepts connections only from specific IP addresses.

FIPS compliant

Securden Password Vault for Enterprises can be configured to operate in FIPS-compliant mode, ensuring that all encryption processes are performed using FIPS-certified systems and libraries.

Securosys HSM

Securden Password Vault for Enterprises additionally offers support for Securosys HSM, allowing users to store and manage the master encryption key in Securosys.

Multi-tenant architecture

Securden Password Vault for Enterprises also provides an MSP edition designed to facilitate multi-tenancy and secure data segregation among different client organizations.

Design Highlights

Data Encryption and Storage

  • AES-256 encryption
  • Encryption key separated from encrypted data
  • FIPS-complaint mode
  • Securosys HSM for storgae and management of master encryption key
  • Multi-tenant architecture