Encryption
How Curiosity encrypts your data on a workspace
Encryption in Transit
Cloud-based workspaces have their in-transit communications to and from the workspace encrypted using the standard HTTPS protocol, using TLS 1.2 and above. They're also protected by Cloudflare against abuse and DDOS attacks. This applies for all communications between the browser and the workspace, between the workspace and external integrations, and between custom integrations and the workspace.
Encryption at Rest
Cloud-based workspaces have their storage encrypted at rest using AES256, using a per-workspace unique encryption key. Workspaces deployed on-premises or locally for development, can also be encrypted at rest by setting up the encryption key as required during initialization. In order to enable that, pass a secure encryption key using the environment variable MSK_GRAPH_MASTER_KEY
.
The encryption key must be 32 bytes long and encoded using BASE64.
Generating a key on macOS / Linux
You can generate a valid random key using the following command on your terminal:
Generating a key on Windows
You can generate a valid random key using the following command on PowerShell:
Please store this key in a safe place, as you'll lose access to any data inside a Curiosity workspace in case you lose access to it. It is recommended to use a Kubernetes Secrets or OpenShift Secrets when deploying Curiosity using an orchestration platform, or the equivalent Secrets Vault of your cloud provider.
Last updated