Conjur uses industry-standard cryptography to protect your data.
There are several ways in which Conjur uses cryptography, each of which are described below. Much of Conjur cryptography is implemented in the open-source project slosilo. Slosilo is basically a wrapper around OpenSSL.
Conjur cryptography has been professionally audited. We responded to all audit findings with the release of Slosilo 2.0.
Most requests to Conjur require an authentication token. Short-lived tokens help to secure identity, eliminate static access, and are useful for ephemeral environments to allow dynamic access to systems.
An authentication token is an industry-standard JSON Web Token (JWT). It is cryptographically signed by a Conjur private key, which includes the host or user id along with the expiration timestamp. The signing certificates are RSA 2048 keys.
Conjur uses OpenSSL (see our slosilo open-source project) to generate the RSA 2048 key pair, validate and sign the tokens.
The JWT contains the following claims:
- sub The client's login name.
- iat Numeric timestamp at which the token was issued.
- exp (optional) Numeric timestamp at which the token will expire.
- cidr (optional) List of IP netmasks which the request bearing this token must match.
Protected JWS header should also include:
- alg Signature algorithm; only
conjur.org/slosilo/v2is accepted. See slosilo for reference implementation.
- kid Fingerprint of the token-signing key.
Conjur access tokens are valid for 8 minutes since
iat if an
exp claim does not dictate otherwise.
The signature algorithm and access token implementation was included in the cryptographic audit.
Secrets and API keys are encrypted with AES-256-GCM and stored securely in the following manner:
- The Conjur service has a unique 256-bit master key (don't lose this!).
- Each value is encrypted with a unique encryption key.
- The unique key is encrypted with the master key.
- The encrypted unique key and the encrypted value are stored in the database.
Encryption and decryption of secret values was included in the cryptographic audit.
Passwords are stored in the Conjur database using bcrypt, with a work factor of 12.
Storage and verification of passwords was included in the cryptographic audit.