All data within Data Control Tower is encrypted while in transit and at rest.
In Transit
Users see an SSL certificate from GoDaddy when they log in with their credentials into https://dataservices.delphix.com. All interactions between the client and Delphix web / API endpoints use this SSL certificate to secure communications. Once a Delphix Agent is installed on a Delphix Engine, it is registered with Data Control Tower and communicates only through a TLS 1.2 encrypted channel to https://api.delphix.com. Customer metadata is always transmitted internally and externally via encrypted channels. This includes metadata sent to the Data Control Tower from Delphix Engines, the metadata retrieved from the Data Control Tower, and presented to a user via a web browser, information accessed via Delphix Engine, or from any custom clients, our customers create using Delphix APIs.
A cipher suite is a set of algorithms to secure network connections that use Transport Layer Security (TLS). The following cipher suite configuration is used by Data Control Tower:
| TLS Protocol Version | TLS 1.2+ |
| Key Exchange | ECDHE |
| Authentication | ECDSA |
| Block/Stream | AES256 |
| Message Authentication | SHA256 |
| Authenticating Block | GCM |
At Rest
All data at rest within Data Control Tower is encrypted using Advanced Encryption Standard (AES) algorithm in Galois/Counter Mode (GCM) also known as AES-GCM. Delphix uses 256-bit encryption keys. The length of the initialization vector (IV) is always 12 bytes; the length of the authentication tag is always 16 bytes. These keys are issued and managed by Amazon Web Services KMS and tightly coupled with infrastructure components handling customer data.
Data Control Tower uses the data encryption key as an input to the HMAC-based extract-and-expand key derivation function (HKDF) to derive the AES-GCM encryption key. The Elliptic Curve Digital Signature Algorithm (ECDSA) signature is added to ensure the integrity of the package. The HKDF helps Delphix avoid accidental reuse of a data encryption key. Delphix is also using ECDSA and a message signing algorithm (SHA-384). Message signing verifies the identity of the message sender and adds message authenticity control to the envelope of encrypted data. The following diagram outlines the key components and their interactions supporting encryption at rest:
