Encryption

Encryption Keys

migVisor uses the same keys for all customers except the metadata scanned by the collector, where the customer can choose to use dedicated keys for encryption.

Encryption Methods

Encryption at Transit

• migVisor Collector

  • Connection: HTTPS TLSv1.2

  • Scan output encryption: AES-256 encrypted single-key

    • Optional: Self-managed user-specified key

• migVisor Console

  • Connection: HTTPS TLSv1.2

  • SSL Certificate: RSA 2048 bits (SHA256withRSA)

  • Live Security Assessment Report: https://www.ssllabs.com/ssltest/analyze.html?d=console.migvisor.com

    

Encryption at Rest

• Storage: Compute Engine Disks

• Encryption: Google-managed encryption

  • Self-managed SSL encryption for GCP Admins

• Connection: Cloud SQL connection

Cloud SQL uses Google-managed data encryption keys (DEK) and key encryption keys (KEK) to encrypt the data in the following manner:

1. The DEK encrypts the data.

2. The KEK encrypts the DEK.

The Cloud SQL instance stores the encrypted DEK alongside the encrypted data on the PD and Google manages the Google KEK.

Files uploaded to migVisor are stored in Cloud Storage where data is kept encrypted on the server side using AES-256, mostly using Galois/Counter Mode (GCM).

All data that is stored by Google is encrypted at the storage layer using the Advanced Encryption Standard (AES) algorithm, AES-256.

Application analysis artifacts such as scanned data and uploaded files which make their way to migVisor’s Elasticsearch cluster and Cloud Storage respectively, are currently not being backed up as a part of our data retention policy. This is planned for when the application analysis feature will mature and become GA.

For more information, see https://cloud.google.com/docs/security/encryption/default-encryption.

Encryption Key Management

migVisor uses Google-managed data encryption keys and Google Cloud KMS as key management services.

Application-layer secrets encryption is configured in GKE and helm charts are encrypted to safely store application credentials.

Encryption keys use the Google symmetric key algorithm and are protected at the software level, currently with no defined retention policy. Software protection level is used to protect the integrity and confidentiality of cryptographic keys.

Cloud KMS uses the BoringCrypto module (BCM) for all cryptographic operations for software keys. 
The BCM is FIPS 140-2 validated. Cloud KMS software keys use FIPS 140-2 Level 1–validated Cryptographic Primitives of the BCM.

Access to the cryptographic keys is restricted to authorized users and services using Identity and Access Management (IAM) roles.

Data access logging is enabled and all key operations are captured in audit logs.