Architecture: Security Controls

Firezone employs a few different security controls to keep data secure in transit and at rest.

Overview of cryptography used

Below is a table of cryptography used and to which contexts they apply.

CryptographyContextNotes
AES-256-GCMData at restUsed to encrypt sensitive data that needs to be persisted, such as authentication tokens.
TLSv1.2/TLSv1.3Data in transitUsed to encrypt connections to the admin portal and control plane API.
ChaCha20, Poly1305, Curve25519, BLAKE2s, SipHash24, HKDFData in transitUsed by WireGuard® for VPN tunnels. Read more at https://wireguard.com/protocol. Firezone uses the boringtun WireGuard implementation.
SHA-256Data at restUsed to store hashed+salted randomly-generated authentication tokens.

Security policy

We take security issues very seriously and strive to fix all security issues as soon as they're reported.

Announcements

We'll announce major security issues on our security mailing list located at:

https://discourse.firez.one/?utm_source=docs.firezone.dev

Supported versions

We release security patches for supported versions of Firezone. We recommend running the latest version of Firezone at all times.

See upgrading for more on how to keep Firezone up to date.

Reporting a vulnerability

Please do not open a public GitHub issue for security issues you encounter.

Instead, use one of the following methods:

  • Report a vulnerability on GitHub. This will be visible to the Firezone security team but not the general public.
  • Send an email to security AT firezone.dev describing the issue and we'll respond as soon as possible.

PGP key

You may use the public key below to encrypt emails to security AT firezone.dev. You can also find this key at:

https://keys.openpgp.org/vks/v1/by-fingerprint/250F8B56804107042DFC6A7345113BA04AD83D8A

-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: 250F 8B56 8041 0704 2DFC  6A73 4511 3BA0 4AD8 3D8A
Comment: Firezone Security <security@firezone.dev>

xjMEYYwK5BYJKwYBBAHaRw8BAQdA4ooDpwDy3V0wHCftM/LHD5e713LSr0SQy49j
oUMgHoTNKUZpcmV6b25lIFNlY3VyaXR5IDxzZWN1cml0eUBmaXJlem9uZS5kZXY+
wpkEExYKAEECGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AWIQQlD4tWgEEH
BC38anNFETugStg9igUCZeCcnAUJCfgsNwAKCRBFETugStg9ikL1AQD/+saUW/kO
nKGEIRtUywFCTB2WYw8qMPuKeNs8Seg2OwEA5r4/dk1imdO0PEUFW+K8c5iI7erH
dgVdBasVaZstFgTCmQQTFgoAQQIbAwULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIX
gBYhBCUPi1aAQQcELfxqc0URO6BK2D2KBQJl3lQ0BQkIFLBQAAoJEEURO6BK2D2K
llgA/1RNbEtoTA+sd9l9YXLVu9nFgKUBbs9kZbjyWn3nZL0+AQDQ/j+RzxvSDYHw
u/ZGZukV99xywEeRugnQGJYaExZKC8KZBBMWCgBBAhsDBQsJCAcCAiICBhUKCQgL
AgQWAgMBAh4HAheAFiEEJQ+LVoBBBwQt/GpzRRE7oErYPYoFAmRrk3gFCQah75QA
CgkQRRE7oErYPYrr9AD/ecxrjiqXKiBSqvpjTQAS62C793OH5+BCD77HIJx53QMA
/04ToQzx3eAiD/xTc1sWixIq2ZYj+Xb+zLXlUx8AugEAzjgEYYwK5BIKKwYBBAGX
VQEFAQEHQPLzia/me7FOsFfAJKWm0X1qC5byv2GWn6LZPV013AdoAwEIB8J+BBgW
CgAmAhsMFiEEJQ+LVoBBBwQt/GpzRRE7oErYPYoFAmXgnM8FCQn4LGsACgkQRRE7
oErYPYrmagD8Drfj3tTJE1b7+kIjID0TMpTqB4/ghRHCxDs8t7uK/LAA/j1g/mbX
VpPejvDUfq4BBmKlqgQIoGsQuDt2TyYC8lQCwn4EGBYKACYCGwwWIQQlD4tWgEEH
BC38anNFETugStg9igUCZGuTYgUJBqHvfgAKCRBFETugStg9imPkAQCLuuSRgRul
WoYfGafZJeVv3s8hkvZH+EEhqOrUYtkm5QD9EXaELFVgOBmv0Ax4WUGfjnL6h4CP
IAuYUQ+MqN4MOQM=
=HwvF
-----END PGP PUBLIC KEY BLOCK-----

Need additional help?

Try asking on one of our community-powered support channels:

Or try searching the docs:
Last updated: May 20, 2024