Security Controls
Firezone employs a few different security controls to keep data secure in transit and at rest.
Overview of Cryptography Used
Below is a table of cryptography used and to which contexts they apply.
Cryptography | Context | Notes |
---|---|---|
AES-GCM | Data at rest | Used to encrypt sensitive database fields such as device preshared keys and multi-factor authentication secrets. |
Argon2 | Data at rest | Used to hash user passwords for the local authentication method. |
TLSv1.2/TLSv1.3 | Data in transit | Used by the Caddy server to encrypt HTTP connections to the portal. Read more at https://caddyserver.com/docs/caddyfile/directives/tls. SSL certificates are provisioned automatically with the ACME protocol by Let's Encrypt by default. |
ChaCha20, Poly1305, Curve25519, BLAKE2s, SipHash24, HKDF | Data in transit | Used by WireGuard® for VPN tunnels. Read more at https://wireguard.com/protocol. Firezone uses Linux kernel WireGuard without modification. |
Security policy
We take security issues very seriously and strive to fix all security issues as soon as they're reported.
Announcements
We'll announce major security issues on our security mailing list located at:
https://discourse.firez.one/?utm_source=docs.firezone.dev
Supported Versions
We release security patches for supported versions of Firezone. We recommend running the latest version of Firezone at all times.
Reporting a Vulnerability
Please do not open a Github Issue for security issues you encounter.
Instead, please send an email to security AT firezone.dev
describing the issue
and we'll respond as soon as possible.
PGP Key
You may use the public key below to encrypt emails to
security AT firezone.dev
. You can also find this key at:
https://pgp.mit.edu/pks/lookup?op=get&search=0x45113BA04AD83D8A
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.6
Comment: Hostname: pgp.mit.edu
mDMEYYwK5BYJKwYBBAHaRw8BAQdA4ooDpwDy3V0wHCftM/LHD5e713LSr0SQy49joUMgHoS0
JkZpcmV6b25lIFNlY3VyaXR5IDxzZWN1cml0eUBmaXJlei5vbmU+iJoEExYKAEIWIQQlD4tW
gEEHBC38anNFETugStg9igUCYYwK5AIbAwUJA8JnAAULCQgHAgMiAgEGFQoJCAsCBBYCAwEC
HgcCF4AACgkQRRE7oErYPYoORwEAiYi3arrcR2e5OfqsoAbCN0O6M0HWeo1K/ZoFWH2jLy0B
AMsWk58vepKqNhUKhuDb8bSjK8TOr/IxB63lSkQaz9MIuDgEYYwK5BIKKwYBBAGXVQEFAQEH
QPLzia/me7FOsFfAJKWm0X1qC5byv2GWn6LZPV013AdoAwEIB4h+BBgWCgAmFiEEJQ+LVoBB
BwQt/GpzRRE7oErYPYoFAmGMCuQCGwwFCQPCZwAACgkQRRE7oErYPYr0ZQEAig86wu+zrNiT
B4t3dk3psHRj+Kdn4uURLjUBZqYNvXoA+QEBUPtP7hNjum+1FrzYmHUFdCBA/cszz7x7PQ36
5gcE
=0gEr
-----END PGP PUBLIC KEY BLOCK-----