Sub's security implementation details


Tilig Security Details

  • Tilig runs on containers using Kubernetes using EKS on AWS.
  • We run multiple containers.
  • We store all the secrets encrypted using AES256 using EAX mode in a PostgreSQL database.
  • We encrypt the user key via KVM. The key to encrypt the user key is stored in AWS HSM.
  • All of our PostgreSQL databases are encrypted.
  • Your data is encrypted and stored in our encrypted database.
  • The user key is pdk2f derived with 100,000 iterations. The user key is generated using a cryptographically secure random number generator.
  • The user key is encrypted using KMS and stored in AWS HSM.
  • In Kubernetes, our containers with database access run on encrypted networks.
  • You’ll access your data over SSL via your browser which itself is standard encryption.
  • Production AWS RDS has AWS standby nodes.
  • We do not use any scripts for syncing databases. AWS does all the syncing itself. Therefore your secrets are not going to be stored in any logs.
  • Our logs do not and will not ever includes any encrypted or decrypted secrets.

Security diagram of password read and write

Security diagram of password read and write