At Enkryptify, security is the cornerstone of our platform. Our security program is built on the principles of confidentiality, integrity, and availability. We maintain security controls that undergo regular internal assessments and external security reviews to ensure the highest standards of protection for our customers’ data.

Security Framework

We follow industry best practices and maintain a robust security framework focused on protecting customer data. Our security controls are continuously monitored and updated to adapt to evolving threats. We conduct regular security assessments and penetration testing to validate the effectiveness of our security measures and identify areas for improvement.

Infrastructure and Data Flow Architecture

Our infrastructure employs a defense-in-depth approach with multiple security zones. The frontend is hosted on Vercel, utilizing Next.js 15 in a serverless architecture. All traffic to our services is routed through Cloudflare, which enforces TLS with HSTS and requires a minimum of TLS 1.2. Traffic from Cloudflare is proxied over TLS 1.2/1.3 to our backend services.

Our backend services run in private VPCs within EU-based data centers, with distinct primary and failover compute infrastructure. The backend is built using TypeScript and Fastify, hosted on secure Hetzner servers. For database operations, we utilize PostgreSQL hosted on NeonDB with comprehensive backup and failover capabilities.

Zero-Knowledge Architecture and Encryption

Enkryptify employs a zero-knowledge-first approach to secret management. All secrets are encrypted on the client side before reaching our API, ensuring that our servers never have access to unencrypted secret values. We implement a 4-layer encryption strategy:

Client-Side Encryption

  • Personal Key: When a user logs in, a private key is generated locally using 600,000 rounds of PBKDF2. This generates a xsalsa20-poly1305 keypair using the TweetNaCl.js library. This key is used to encrypt the project key and is never transmitted to the server.

  • Projects: Upon project creation, a randomly generated project key is encrypted using xsalsa20-poly1305 using the user’s personal key. The encrypted project key is stored on the server, while the plaintext version remains only temporarily in client memory.

  • Secrets: Secrets are encrypted individually using the project key using AES-256-GCM, and are never stored in plaintext on the server.

Server-Side Encryption

  • Secrets: Another layer of encryption is performed on the server side using AES-256-GCM. This is a well known encryption algorithm that has been extensively tested and is widely used and accepted in the industry.

  • Database: All data written to the disk on the database is encrypted using AES-256.

Access Control

The RBAC system currently works on a workspace level, meaning that the permissions are applied to the entire workspace. We will change this in the future to allow team or project specific permissions.

Our Role-Based Access Control (RBAC) system follows the principle of least privilege, with clearly defined roles and responsibilities.

  • The Owner role, which is the default for workspace creators, cannot be removed from a workspace.
  • Admins have comprehensive management capabilities for users, roles, teams, projects, and secrets.
  • Developers are granted permissions to manage project secrets.
  • Members can access the workspace and projects but cannot make edits.
  • The No-Access role restricts all workspace and project access.

For our enterprise customers, we offer a more sophisticated access control system that enables custom role definitions for teams or specific projects.

Authentication

We plan to rewrite the authentication system to allow MFA, SSO, password reset and much more.

Our current authentication system supports email and password authentication. In our roadmap, we’re implementing mandatory Multi-Factor Authentication (MFA) for all accounts with admin access. Enterprise customers have access to Single Sign-On (SSO) capabilities. For password security, we implement argon2id hashing with 19KiB memory, an iteration count of 2, and 1 degree of parallelism, following OWASP recommendations.

Employee Access and Training

Access to production systems by employees of Enkryptify requires MFA, and all access is logged and regularly reviewed. We maintain strict controls over employee access to customer data, requiring explicit customer approval for any support-related access.

Contact and Reporting

For security-related inquiries or to report potential vulnerabilities, please contact our security team at security@enkryptify.com. We encourage responsible disclosure and work closely with security researchers to maintain the highest security standards.

Last updated: 27 Nov. 2024