encrypted data

Showing results for 
Search instead for 
Do you mean 
Reply
Participant I
Posts: 1
Registered: ‎03-16-2017
#1 of 3 1,784

encrypted data

How is this data encrypted and which algorithm is used for the data stored in secrets after installing the CPS

Master V
Posts: 409
Registered: ‎01-05-2015
#2 of 3 1,751

Re: encrypted data

Welcome to the community @Rooster_2014! I've asked your account team to reach out to you directly. Please do not hesitate to send me a private message if you have any additional questions.

 

Regards,

AntonC
Community Manager


Community FAQ | Documentation | Support Portal | Centrify Trust | @CentrifySupport on Twitter
Follow Centrify:
Giving Kudos is a great way to thank our community contributors!
Problem Solved? Click "Accepted as Solution" so this information can help other users.

These opinions are my own and do not necessarily reflect the views and opinions of my employer.
Centrify Guru I
Posts: 2,411
Registered: ‎07-26-2012
#3 of 3 1,722

Re: encrypted data

[ Edited ]

@Rooster_2014,

 

If you're a customer of the SaaS service, please read the information on the trust site (www.centrify.com/trust).  In short, the minimum algorithm is SHA256 and we use the internal CA for each tenant as an additional confidentiality mechanism (encryption at rest and encryption in transit + publicly rooted SSL cert). 

 

Note that privilege service can also be deployed on premises and it's important to keep in mind that:

 

a) During Privilege Service setup, an internal CA is created and various certificates are automatically put in place

b) Just like the SaaS version, long-expiration, courtesy certs are generated like  an application signing certificate that is used for SAML assertions - note that you can use your own.
signcert.PNG

c) The Internal CA certificates can be leveraged by the connectors for services that rely on SPNEGO over HTTPS  (for example, MFA).

d) A certificate provided by the customer (with the private key) is needed for encryption in transit using the service name (the DNS name) for the service address (e.g. safe.example.com).  The algorithm/expiration depends on what the customer brings to the table.

e) If Smart Card authentiation is required, the service certificate (form step d) should also have the serviceaddress+zso DNS subject alternative name.

f) Integration with your own internal CA:  You can integrate your own internal CA by providing the root CA cert and the complete trust chain (with a properly deployed PKI).

 

Applications:

- Encryption at rest (e.g. tenant certificate) - this is to provide the assurance that only each independent tenant can read its own data.  In the case of privilege service on premises, encryption to the database service.

- Encryption in transit - SSL/TLS (1.2+) - depending on the application we may be doing double-encrpytion (SSL+ encrypted payload).

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify: