CloudSoda encrypts sensitive information at rest using the XSalsa20 stream cipher (symmetric key) with a unique nonce per secret/credential/password. The sensitive information is encrypted just before it is written to the database, ensuring it is never stored in plaintext. Furthermore, once the secret is persisted to the database, it can never be publicly accessed again, either through the UI or API. The symmetric key is uniquely generated at the time of deployment and is set as an environment variable in the service that handles access to the secret information. The nonce is stored in a column in the table alongside the secret it encrypts. When a record is read from the database, it is immediately decrypted after being scanned and then used by the agent to access the storage.
Comments
0 comments
Please sign in to leave a comment.