firezone/www/docs/reference/security-controls.mdx

---
title: Security Controls
sidebar_position: 10
---

Firezone employs a few different security controls to keep data secure in
transit and at rest.

## Overview of Cryptography Used

Below is a table of cryptography used and to which contexts they apply.

| Cryptography                                             | Context         | Notes                                                                                                                                                                                                                                      |
| ---                                                      | ---             | ---                                                                                                                                                                                                                                        |
| AES-GCM                                                  | Data at rest    | Used to encrypt sensitive database fields such as device preshared keys and multi-factor authentication secrets.                                                                                                                           |
| Argon2                                                   | Data at rest    | Used to hash user passwords for the local authentication method.                                                                                                                                                                           |
| TLSv1.2/TLSv1.3                                          | Data in transit | Used by the Caddy server to encrypt HTTP connections to the portal. Read more at https://caddyserver.com/docs/caddyfile/directives/tls. SSL certificates are provisioned automatically with the ACME protocol by Let's Encrypt by default. |
| ChaCha20, Poly1305, Curve25519, BLAKE2s, SipHash24, HKDF | Data in transit | Used by WireGuard® for VPN tunnels. Read more at https://wireguard.com/protocol. Firezone uses Linux kernel WireGuard without modification.                                                                                                |

## Security policy

We take security issues very seriously and strive to fix all security issues
as soon as they're reported.

### Announcements

We'll announce major security issues on our security mailing list located at:

https://discourse.firez.one/?utm_source=docs.firezone.dev

### Supported Versions

We release security patches for supported versions of Firezone. We recommend
running the latest version of Firezone at all times.

### Reporting a Vulnerability

Please **do not** open a Github Issue for security issues you encounter.
Instead, please send an email to `security AT firezone.dev` describing the issue
and we'll respond as soon as possible.

### PGP Key

You may use the public key below to encrypt emails to `security AT firezone.dev`.
You can also find this key at:

https://pgp.mit.edu/pks/lookup?op=get&search=0x45113BA04AD83D8A

```
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.6
Comment: Hostname: pgp.mit.edu

mDMEYYwK5BYJKwYBBAHaRw8BAQdA4ooDpwDy3V0wHCftM/LHD5e713LSr0SQy49joUMgHoS0
JkZpcmV6b25lIFNlY3VyaXR5IDxzZWN1cml0eUBmaXJlei5vbmU+iJoEExYKAEIWIQQlD4tW
gEEHBC38anNFETugStg9igUCYYwK5AIbAwUJA8JnAAULCQgHAgMiAgEGFQoJCAsCBBYCAwEC
HgcCF4AACgkQRRE7oErYPYoORwEAiYi3arrcR2e5OfqsoAbCN0O6M0HWeo1K/ZoFWH2jLy0B
AMsWk58vepKqNhUKhuDb8bSjK8TOr/IxB63lSkQaz9MIuDgEYYwK5BIKKwYBBAGXVQEFAQEH
QPLzia/me7FOsFfAJKWm0X1qC5byv2GWn6LZPV013AdoAwEIB4h+BBgWCgAmFiEEJQ+LVoBB
BwQt/GpzRRE7oErYPYoFAmGMCuQCGwwFCQPCZwAACgkQRRE7oErYPYr0ZQEAig86wu+zrNiT
B4t3dk3psHRj+Kdn4uURLjUBZqYNvXoA+QEBUPtP7hNjum+1FrzYmHUFdCBA/cszz7x7PQ36
5gcE
=0gEr
-----END PGP PUBLIC KEY BLOCK-----
```