Security Password and Key Storage Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Average Rating:
Security Password and Key Storage
Published: Jan 10, 2015   -   Updated: Nov 18, 2016

Please note: this page is no longer being updated and may not show current information.

Okta provides rigorous security measures and controls to protect our Production and Preview services. These controls are audited and attested to in our SOC 2 Type II report**. Additionally, Okta holds US-EU and US-Swiss Safe Harbor certifications.

Okta uses strong encryption to secure sensitive customer data. For example, we encrypt the unique customer SAML keys that are created to perform authentication on our customer users’ behalf. We also store and encrypt credentials that users submit for downstream SWA applications (apps), configured within their SSO environment.

Okta does not implement any proprietary encryption, and all customer data encryption is performed at the application layer.

The following illustrates the basic method, in which

  1. The passwords and keys for each customer org are encrypted using AES and a 256-bit, randomly generated symmetric key.
  2. This key-store, containing the customer symmetric encryption keys, is then encrypted with a Master Key that is held only in memory and only accessible to the Okta app.
  3. At startup, the app is provided a master passphrase allowing it to access, decrypt, and store the Master Key in memory.
  4. A technical operations administrator inputs the master passphrase. Only eight administrators know this master passphrase.

    Note: Since encryption and key management are occurring within the app, knowledge of the master passphrase does not preclude access to customer keys or customer data for the privileged administrators.

This process, using application level encryption, protects sensitive data, even in the event of partial compromise. As a result, attackers lack the ability to decrypt the data if armed with 2 out of 3 of the following: Master Key, Key Store, and/or the user's app context.

**This report can be made available under NDA. Contact Okta Support to initiate a request. 


Post a Comment