Architecture: Security Controls
Firezone employs a few different security controls to keep data secure in transit and at rest.
Overview of cryptography used
Below is a table of cryptography used and to which contexts they apply.
| Cryptography | Context | Notes |
|---|---|---|
| AES-256-GCM | Data at rest | Used to encrypt sensitive data that needs to be persisted, such as authentication tokens. |
| TLSv1.2/TLSv1.3 | Data in transit | Used to encrypt connections to the admin portal and control plane API. |
| ChaCha20, Poly1305, Curve25519, BLAKE2s, SipHash24, HKDF | Data in transit | Used by WireGuard® for VPN tunnels. Read more at https://wireguard.com/protocol. Firezone uses the boringtun WireGuard implementation. |
| SHA-256 | Data at rest | Used to store hashed+salted randomly-generated authentication tokens. |
Security policy
We take security issues very seriously and strive to fix all security issues as soon as they're reported.
Announcements
We'll announce major security issues on our security mailing list located at:
https://discourse.firez.one/?utm_source=docs.firezone.dev
Supported versions
We release security patches for supported versions of Firezone. We recommend running the latest version of Firezone at all times.
See upgrading for more on how to keep Firezone up to date.
Reporting a vulnerability
Please do not open a public GitHub issue for security issues you encounter.
Instead, use one of the following methods:
- Report a vulnerability on GitHub. This will be visible to the Firezone security team but not the general public.
- Send an email to
security AT firezone.devdescribing the issue and we'll respond as soon as possible.
PGP key
You may use the public key below to encrypt emails to
security AT firezone.dev. You can also find this key at:
https://keys.openpgp.org/vks/v1/by-fingerprint/250F8B56804107042DFC6A7345113BA04AD83D8A
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: 250F 8B56 8041 0704 2DFC 6A73 4511 3BA0 4AD8 3D8A
Comment: Firezone Security <security@firezone.dev>
xjMEYYwK5BYJKwYBBAHaRw8BAQdA4ooDpwDy3V0wHCftM/LHD5e713LSr0SQy49j
oUMgHoTNKUZpcmV6b25lIFNlY3VyaXR5IDxzZWN1cml0eUBmaXJlem9uZS5kZXY+
wpkEExYKAEECGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AWIQQlD4tWgEEH
BC38anNFETugStg9igUCZeCcnAUJCfgsNwAKCRBFETugStg9ikL1AQD/+saUW/kO
nKGEIRtUywFCTB2WYw8qMPuKeNs8Seg2OwEA5r4/dk1imdO0PEUFW+K8c5iI7erH
dgVdBasVaZstFgTCmQQTFgoAQQIbAwULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIX
gBYhBCUPi1aAQQcELfxqc0URO6BK2D2KBQJl3lQ0BQkIFLBQAAoJEEURO6BK2D2K
llgA/1RNbEtoTA+sd9l9YXLVu9nFgKUBbs9kZbjyWn3nZL0+AQDQ/j+RzxvSDYHw
u/ZGZukV99xywEeRugnQGJYaExZKC8KZBBMWCgBBAhsDBQsJCAcCAiICBhUKCQgL
AgQWAgMBAh4HAheAFiEEJQ+LVoBBBwQt/GpzRRE7oErYPYoFAmRrk3gFCQah75QA
CgkQRRE7oErYPYrr9AD/ecxrjiqXKiBSqvpjTQAS62C793OH5+BCD77HIJx53QMA
/04ToQzx3eAiD/xTc1sWixIq2ZYj+Xb+zLXlUx8AugEAzjgEYYwK5BIKKwYBBAGX
VQEFAQEHQPLzia/me7FOsFfAJKWm0X1qC5byv2GWn6LZPV013AdoAwEIB8J+BBgW
CgAmAhsMFiEEJQ+LVoBBBwQt/GpzRRE7oErYPYoFAmXgnM8FCQn4LGsACgkQRRE7
oErYPYrmagD8Drfj3tTJE1b7+kIjID0TMpTqB4/ghRHCxDs8t7uK/LAA/j1g/mbX
VpPejvDUfq4BBmKlqgQIoGsQuDt2TyYC8lQCwn4EGBYKACYCGwwWIQQlD4tWgEEH
BC38anNFETugStg9igUCZGuTYgUJBqHvfgAKCRBFETugStg9imPkAQCLuuSRgRul
WoYfGafZJeVv3s8hkvZH+EEhqOrUYtkm5QD9EXaELFVgOBmv0Ax4WUGfjnL6h4CP
IAuYUQ+MqN4MOQM=
=HwvF
-----END PGP PUBLIC KEY BLOCK-----
Need additional help?
Try asking on one of our community-powered support channels:
- Discussion forums: Ask questions, report bugs, and suggest features.
- Discord server: Join discussions, meet other users, and chat with the Firezone team
- Email us: We read every message.