HomeDocumentationAPI Reference
Log In
These docs are for v16. Click to read the latest docs for v33.

Data Encryption

Suggest Edits

What data is stored in the database, and is it encrypted?

  • Non-sensitive configuration data/metadata is stored within the database in non-encrypted form. Access secrets, credentials and cryptographic keys are encrypted and stored in the keyvault segment of the database.

How much storage will I need for retaining session recordings?

  • SSH sessions take a few megabytes per hour.

  • RDP-session storage depends greatly on the circumstances, i.e. your screen resolution and how much data is processed and moved. Fullscreen video takes several gigabytes per hour (although this type of activity is not expected in most use cases), while administrative use with little animation on medium screen resolution takes approximately 100 megabytes per hour.

    Assuming 5 connections per hour with medium resolution 600 MB per hour, around 5 gigabytes per day considering 8 hours day (business hour only) , around 100 gigabytes monthly and if recording needs to be kept for 12 months or so then somewhere around 1.2 TB will be needed. (all dependant on usage and retention needs).

    The previous calculation is based on 5 active sessions Mon-Fri 8 hours daily but it could be more or less. Best approach will be to start with around 500 GB and monitor the growth for a few months to gain a more accurate view of the usage.

Where are session recordings stored and how are they secured?

  • Session recordings are stored in a NFS/EFS filesystem that you specify in the PrivX configuration, recordings are secured using a three-tiered mechanism:

    1. AES 128 and GCM based encryption
    2. Each trail file is secured with a unique key
    3. Each trail in turn within a trail file is also secured with a unique key

    The master key is stored in the keyvault while the trail-specific keys are stored in the filesystem. Additionally, the trail-file names and dates are obfuscated on purpose, making it impossible to associate files to sessions.

What can HSM’s be used to store?

  • Master/private keys can be stored within a supported HSM which must be configured at initial setup if to be used. For more information about the supported HSM providers, see the articles under HSM Providers.

Updated over 3 years ago