Security Controls

Firezone employs a few different security controls to keep data secure in transit and at rest.

Overview of Cryptography Used

Below is a table of cryptography used and to which contexts they apply.

CryptographyContextNotes
AES-GCMData at restUsed to encrypt sensitive database fields such as device preshared keys and multi-factor authentication secrets.
Argon2Data at restUsed to hash user passwords for the local authentication method.
TLSv1.2/TLSv1.3Data in transitUsed by the Caddy server to encrypt HTTP connections to the portal. Read more at https://caddyserver.com/docs/caddyfile/directives/tls. SSL certificates are provisioned automatically with the ACME protocol by Let's Encrypt by default.
ChaCha20, Poly1305, Curve25519, BLAKE2s, SipHash24, HKDFData in transitUsed by WireGuard® for VPN tunnels. Read more at https://wireguard.com/protocol. Firezone uses Linux kernel WireGuard without modification.

Security policy

We take security issues very seriously and strive to fix all security issues as soon as they're reported.

Announcements

We'll announce major security issues on our security mailing list located at:

https://discourse.firez.one/?utm_source=docs.firezone.dev

Supported Versions

We release security patches for supported versions of Firezone. We recommend running the latest version of Firezone at all times.

Reporting a Vulnerability

Please do not open a Github Issue for security issues you encounter. Instead, please send an email to security AT firezone.dev describing the issue and we'll respond as soon as possible.

PGP Key

You may use the public key below to encrypt emails to security AT firezone.dev. You can also find this key at:

https://pgp.mit.edu/pks/lookup?op=get&search=0x45113BA04AD83D8A

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.6
Comment: Hostname: pgp.mit.edu

mDMEYYwK5BYJKwYBBAHaRw8BAQdA4ooDpwDy3V0wHCftM/LHD5e713LSr0SQy49joUMgHoS0
JkZpcmV6b25lIFNlY3VyaXR5IDxzZWN1cml0eUBmaXJlei5vbmU+iJoEExYKAEIWIQQlD4tW
gEEHBC38anNFETugStg9igUCYYwK5AIbAwUJA8JnAAULCQgHAgMiAgEGFQoJCAsCBBYCAwEC
HgcCF4AACgkQRRE7oErYPYoORwEAiYi3arrcR2e5OfqsoAbCN0O6M0HWeo1K/ZoFWH2jLy0B
AMsWk58vepKqNhUKhuDb8bSjK8TOr/IxB63lSkQaz9MIuDgEYYwK5BIKKwYBBAGXVQEFAQEH
QPLzia/me7FOsFfAJKWm0X1qC5byv2GWn6LZPV013AdoAwEIB4h+BBgWCgAmFiEEJQ+LVoBB
BwQt/GpzRRE7oErYPYoFAmGMCuQCGwwFCQPCZwAACgkQRRE7oErYPYr0ZQEAig86wu+zrNiT
B4t3dk3psHRj+Kdn4uURLjUBZqYNvXoA+QEBUPtP7hNjum+1FrzYmHUFdCBA/cszz7x7PQ36
5gcE
=0gEr
-----END PGP PUBLIC KEY BLOCK-----