Security
This document covers the most important security topics to understand when using Tower.
Data at Rest: Envelope Encryption
Tower uses envelope encryption for securing all data at rest. This means your data is encrypted using industry-standard AES-256 encryption, and the encryption keys themselves are also encrypted and managed by a secure key management system.
The following assets are encrypted using our envelope encryption practice:
- Apps (packages)
- Secrets
- Catalogs
What is Envelope Encryption?
Envelope encryption is a method of securing data by encrypting it twice, using a combination of data encryption keys (DEKs) and key encryption keys (KEKs). First, the data is encrypted using a DEK, which is unique to each dataset. Then, the DEK itself is encrypted with a KEK, typically managed by a secure key management system (KMS). This approach enhances security by limiting access to the DEK and simplifying key management, as only the smaller KEKs need to be securely stored and rotated.
Key Management
Tower uses AWS KMS for key management which prevents Tower employees from getting access to the private keys. This means that Tower employees can never decrypt your sensitive data.
Data in Transit: Hybrid Encryption
Tower uses a hybrid encryption approach that combines RSA and AES-GCM for secure data transmission. This provides both the security of asymmetric encryption and the performance benefits of symmetric encryption.
How Hybrid Encryption Works
Our hybrid encryption process works in two stages:
-
Symmetric Encryption (AES-256-GCM):
- A random 32-byte AES key is generated for each message
- A random 12-byte initialization vector (IV) is generated
- The message is encrypted using AES-256-GCM with the generated key and IV
- This provides efficient encryption of the actual data
-
Asymmetric Encryption (RSA-2048):
- The AES key is encrypted using an RSA public key provided by the user with OAEP padding
- SHA-256 is used as the hash function for OAEP
- This ensures secure key exchange
The final encrypted message consists of:
- RSA-encrypted AES key
- 12-byte IV
- AES-GCM encrypted message
All components are base64 encoded for transmission
Public Key Cryptography
Tower uses RSA with OAEP padding for secure key exchange. This ensures that sensitive data can be securely transmitted between clients and the Tower service.
The following assets require encryption using our public key:
- Secrets
- Catalogs
How Secret Encryption Works
-
When submitting a secret to Tower:
- Clients fetch a published RSA public key from the Tower API
- The secret is encrypted using our hybrid encryption approach
- The result is sent to the Tower service
-
When Tower receives an encrypted secret:
- The data is base64 decoded
- The RSA-encrypted AES key is decrypted using Tower's private key
- The AES key is used to decrypt the actual secret
- The secret is then re-encrypted using envelope encryption for storage
How Catalog Encryption Works
-
When submitting a catalog to Tower:
- Clients fetch a published RSA public key from the Tower API
- Each catalog properties is encrypted using our hybrid encryption approach
- The result is sent to the Tower service
-
When Tower receives an encrypted secret:
- The data is base64 decoded
- For each catalog property, the RSA-encrypted AES key is decrypted using Tower's private key and the AES key is used to decrypt the each secret
- Each catalog property is then re-encrypted using envelope encryption for storage
Transport Layer Security
Tower services use transport layer security (TLS 1.3) for all communications. This provides an additional layer of security for data in transit.
What is Transport Layer Security?
TLS is a cryptographic protocol that ensures secure communication over a network. It provides:
- Encryption of data in transit
- Authentication of communicating parties
- Integrity verification of transmitted data
TLS 1.3 is the latest version of the protocol and provides enhanced security features compared to previous versions.