Skip to main content

Data encryption and storage

This document explains how Invicti Platform encrypts and stores customer data in both on-demand and on-premises deployments. Both deployments use AES-256 encryption to protect sensitive data at rest.

Encryption in transit

Invicti Platform protects data in transit by using industry‑standard TLS:

  • All browser access uses HTTPS with TLS 1.2 or higher with valid SSL/TLS certificates.
  • API access uses the same HTTPS/TLS protections.

Secrets and passwords

Sensitive secrets such as passwords and tokens are never stored in plain text. User account passwords are stored as salted hash values using PBKDF2 with HMAC‑SHA256.

Invicti Platform on-demand

Invicti Platform on-demand is hosted on Amazon Web Services (AWS) with multiple layers of encryption.

Encryption at rest

Data at rest and backups are encrypted using 256‑bit AES:

  • AWS S3 buckets use Server‑Side Encryption with Amazon S3‑Managed Keys (SSE‑S3).
  • Databases use AWS RDS storage encryption.

Cloud hosting and regions

  • AWS regions: us-east-1 (USA), eu-central-1 (Germany), ca-central-1 (Canada)
  • Data is stored and processed in the region selected for the customer's instance.
Login Sequence Recorder options

On-demand deployment support both cloud-based LSR (built into the UI) and standalone LSR for internal agent scanning.

  • Cloud-based LSR: Data is encrypted and stored within the AWS infrastructure using the same encryption standards as previously described.
  • Standalone LSR: LSR files are stored locally on the machine where the standalone LSR is installed. When uploaded to the platform for use in scans, these files are encrypted and stored using the same AWS encryption standards (256-bit AES).

Invicti Platform on-premises

Invicti Platform on-premises generates a secret key for AES encryption during installation. You're prompted to download this key during installation. All data is stored and processed locally within your organization's infrastructure.

Important

Securely store the secret key from installation. It's essential for encryption and decryption operations and can't be retrieved later.

Login Sequence Recorder files

LSR files contain automated authentication workflows. The system stores and encrypts these files as follows:

  • Local disk storage: LSR files are written to the local disk in encrypted form using AES-256.
warning

When scan debug logs are enabled, LSR data might be available in plaintext in log files.

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Last updated on
Was this page useful?