Encryption

How Curiosity encrypts your data on a workspace

Encryption in Transit

Cloud-based workspaces have their in-transit communications to and from the workspace encrypted using the standard HTTPS protocol, using TLS 1.2 and above. They're also protected by Cloudflare against abuse and DDOS attacks. This applies for all communications between the browser and the workspace, between the workspace and external integrations, and between custom integrations and the workspace.

Encryption at Rest

Cloud-based workspaces have their storage encrypted at rest using AES256, using a per-workspace unique encryption key. Workspaces deployed on-premises or locally for development, can also be encrypted at rest by setting up the encryption key as required during initialization. In order to enable that, pass a secure encryption key using the environment variable MSK_GRAPH_MASTER_KEY.

The encryption key must be 32 bytes long and encoded using BASE64.

Generating a key on macOS / Linux

You can generate a valid random key using the following command on your terminal:

head -c 32 /dev/urandom | base64

Generating a key on Windows

You can generate a valid random key using the following command on PowerShell:

$bytes = [byte[]]::new(32)
$random = New-Object System.Security.Cryptography.RNGCryptoServiceProvider
$random.GetBytes($bytes)
$key = [System.Convert]::ToBase64String($bytes)
echo $key

Please store this key in a safe place, as you'll lose access to any data inside a Curiosity workspace in case you lose access to it. It is recommended to use a Kubernetes Secrets or OpenShift Secrets when deploying Curiosity using an orchestration platform, or the equivalent Secrets Vault of your cloud provider.

PreviousHosting NextUsers and Access

Last updated 3 months ago