Security is at the heart of everything we do at AeroFS, and this page is intended to give a brief description and explanation of the security and cryptography usages in AeroFS.
This document describes the various communications that happen amongst AeroFS services. We'd like to take a moment to make some things in regards to the Hybrid Cloud vs Private Cloud models as clear as possible before diving into the details.
In the Private Cloud deployment model, absolutely no data or communications should happen with AeroFS servers. Period.
In the Hybrid Cloud deployment model, we do not store any file data on our own servers, and strive to reduce the overall amount of communication that happens with our servers, but some communication is still necessary (e.g. for account creation, email notification, and so on). These communications are outlined below in detail.
During sign up for both the Hybrid Cloud and the Private Cloud model, we take your password and apply the scrypt key-derivation algorithm with a per-user salt to produce a hard-to-compute shared secret. We never store your password in plaintext, ever - neither on your machine, nor on our servers or the AeroFS Appliance.
When you set up a new client, that client creates a 2048-bit RSA key which never leaves that machine. The key is stored in that user's AeroFS configuration folder (location varies by platform) and is set to be only accessible by the user setting up AeroFS. The client generates a certificate signing request, and depending on whether you use the Hybrid Cloud or the Private Cloud deployment, does one of the following:
The clients communicate amongst themselves through TLS atop a variety of other transports, including direct TCP over a LAN, STUN, and a relay server used when direct network connectivity is impossible. In the Hybrid Cloud deployment, this relay server is zephyr.aerofs.com. In the Private Cloud deployment, your AeroFS Appliance also acts as a relay server. Each client has a 2048-bit RSA key and a certificate signed by the AeroFS root CA as described above in "Device Setup". We currently use the DHE-RSA-AES256-SHA ciphersuite, which establishes an AES-256-CBC session between the two peers. Each client verifies that the other client it is communicating with is:
All file data and metadata sent between peers is encrypted end-to-end through this TLS channel, so neither network sniffers nor our relay server can see your data.
Some actions require talking to AeroFS servers (or in the case of the AeroFS Private Cloud deployment, to the AeroFS Appliance). These mostly relate to account preferences, administration of shared folders, and information to help us improve AeroFS.
For these communications, we use connections secured with TLS. Where possible, we use the same client certificate signed by the AeroFS root CA as used in the peer-to-peer communications to verify identity, but we also have some services where the client identifies itself by presenting a username and password (after verifying the services's identity, of course).
We use strong ciphers and follow best practices for SSL/TLS usage.
We use certificate revocation lists to revoke the certificates for deleted devices. When you unlink or erase a device, we mark the certificate associated with that device as revoked, and notify each of your clients either immediately or as soon as they come online and reconnect to our push notification service that the revoked device is no longer to be trusted.
Our implementation uses OpenSSL. We are subscribed to the OpenSSL security advisory mailinglist, and we update our OpenSSL version promptly when upstream releases security fixes.
We take all security issues and concerns seriously. If you believe you've found a security problem relating to AeroFS, please get in touch with us at firstname.lastname@example.org
When disclosing security issues to us, we ask that you:
Our PGP key is below. All security-related emails from AeroFS will be signed with this key, and you're also welcome to use this key to encrypt security related communication emails to us.
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: SKS 1.1.0 mQINBFE2SKsBEAC91DjtMEV2mgyB02N69L0eaaCbdS5IGT22Pgijkm26XAH/It4IVLn76t2k AZS2tV5R7PDfFU3WJqZclseWkoxp+KrSeCOllx0+X4VyP5HX2MDQPOW6fjYcFXep9DvJ+R94 z6Ho6gnvewCxUTswHTw5T0oku8ag8Frobdj9DmnV/B8G4nBnJXGyP9n3eAFdPcGAsfrwAoDa yeutjqsapPTxF5WSpxY1UIcqI8hBvOAdDsszYjXC3AZdEt7xdm8m9M44L1fWA4iG/DS6frWG uNQOn6smZUx+RRn40negGwcI3RP871tAFfNkDxhgt+F3gnK9Nqkqrsub4Jyyit4CggJn9x3J oJjfIkC1rYLqzpaqNngOquZPLxOwpIzjl48Q2xoF3ca8pK4PcxxXae0m+eTu/VShHvvlear2 caHYDRUZzZjv4MdC4ZNg4V3FtOFp6efgN7p5sPTm9eOhG2sHz6/FURCcshBExk7MBi1IBfSB JMcgic2ksk5wml4B0cs9EFABYOtjphW9gsv4cq/Vj2K/K1JZfm/4JhcsFGbnDLH2dow+Mtvq oN9oinQfTbKbqkwT83lVHK3t/7Q5zBlLzYuXoV0/0RAgxbpr0xlH1pQJEE9jnoN5gm9KXfnX XvGV30/BTJVoa4pkxVOdnWlVu7Q6UL5G6JEGiiGMOkExgmmXswARAQABtBxBZXJvRlMgPHNl Y3VyaXR5QGFlcm9mcy5jb20+iQI4BBMBAgAiBQJRNkirAhsDBgsJCAcDAgYVCAIJCgsEFgID AQIeAQIXgAAKCRCj0k7Dbh3J+W8PD/9UwGLZIpQcZ6zWzMNeDXH626WpBRb8rw0/2h4Rm55V 9lD7PV/71QVzcdCT0leTVbXkt0952oGc1wxQBUcymJwcEzNWX5nkdWGPWTIJuvXqGBQZaGuo TYHOhC8c8azJT6L20n3IUiyE3yV1PjyLIV43x0nOvlCcpAQIqkNjkkjoIE/W0XRiQez7hc14 Rg05/3RLUgvC/ZTsQ2rb4pkjc+9Yoarqf6JiLfL2eyLyVmb/hQhh0tOtohpYQFjGju2UbTR7 0ATbP/TZg66bULvrkLRZC0W5DrShIkJ9RPKpA7jd9c5V3sLIhnU4W4ylF1DMYn0wqx/9UwBx Onx1MqbxRi6fwL13w4LQrc7McnfI0gUJUsZha6qcZ0aROgfdRVoG28Ro7xEAxp4HE85DLqxZ fN9Q/HcJHFw+Rejc1FTaO3Thf7WWIPOii31vm/7QyNnZA9tLwNqpKGVsPMs6nIdY3LXUjLIr xS8cfHWBID69beuJtyP3CFulQNk3XBpu4Hgh4eZVCOUyXTUz3PFl2xdE+Y+Cy5U+NVeEfKrv Xg8FE33oqVYsLsCo2t1q35ENV+Ft7dQZfs11kCpYEiAPKJuhgdTjhMVIYqbXgwL0/dq7d2SP y76Sr+lmZYSpfDrksKS4TR1O82qYe/3XzHp8tyY5H7/1BP2wl2r+qdw94mxvDjyJdLkCDQRR NkirARAAv3f88zpVrMky9eHfqamQG8yNh6QWPGONxhGua+FwpN23DFPOzBadTCennQSA/C05 1VBUcbjJivQXsiMiCduSA89uisA5Ez2g1+zMGCMZnOnJIVV8QajG/+QRK3YjZhdV6JtKOSTe nSJui6Xc+E7fHxbcEIxpNb/FsfkcmG2N86gTvP82DcO3FkTTj8pialS6I/lq7uFKW9Yyh75D 3LQqOADqx9VLgkgvfhihVfuqQtS86Xc8qkZ8V/r0JeEAEO950xsOjCdToOZVQGviOHtlYY1q StBbi6GjhiPQ74jT7nKn7bWU7NeITZCnUPxabcds/lO1zhwd20SEKxV0KIFW2uNhUxmXOFcY HNVIn91HiMDy6J335pk5vnUVwPeuVQwhzFX8OXz79wAVlNFZQrlfVmyDxWVTUSnocttLJFAM M6v2vpHy/7+0FB9bBgcTPSiap5dSAfNhb0gWFfe5SSbjPbcqH0qWOQQlVw/DcXHyaWTBEiJ/ v8aJHF8ZC7kMe3MecIEEjkG6yAoE/1ZXrV/CMVlBUsbBVjL9gFy2AfllJvKGLKODxkPsaSy0 tibuA7U5an0bsNHJyQekaebJEFzZhVOwC1jNZKdWCXcaBTxirXyb+xKLn4rbZKdG3vP++Gi7 7tYaaSKXQ3li4h0DEHnGcPPCjZru9ZqB80jqr2iG3KMAEQEAAYkCHwQYAQIACQUCUTZIqwIb DAAKCRCj0k7Dbh3J+TGMD/9SnUO9Owozb7fbZG7OYefYPo9My7/hAa06B+7IZiw0p9VHx3ND ZFK7dDQWRrqLQAhCH7Y7z0eL2wmDf0gVKsSvObkllPVn9QhwW/T/HKpX6eBbbiwJDtmq2pTH 0r7z/LAgcAv1dkQmGoo2aJj0rG122k79ybHyJvqV+v4RHJpqSxnLbYCKa1y3COV2Uqdqpo5Z TX8j431edNmMXwEStMkCVWfTtbWX0FupZ7ruFtTcOBKjFvQdxGb7M68sCfOlG1M29hP6swpt AeNpRqHEL+jrJWHCuDjKFvEVsZnahLliNa1gFWNtCY50GBALP26mfcTE+b5u5uUuJ/LRUCH3 y5BfGq5OqhID+6bcZbSYqR2GVWybd3zNydFU8K4qia788Ff9dOuo07OvQGtyvtJK5drWKt+/ oF+8iUIlrs5o86Tvvag/6ZkBG5MNHfcpllBjC4p40uBDrUkD8sQEJZEG04gcluVjKCPO+ilv es0wbObLnI4yYrsabDCQIPRj65ZEcGkBtEJP3ShcSVt2Xvt/e5SMp02pmCUFIM3KhxEdlEO+ dYTbZFrdD7q/oC5LtSGjbeMN+D/RtBdyMkVdAfO8f/Jd+6GplvMPxmxEQeVCRGHyUAsgclQ7 eMCtixwIrHQsE2I4h7OHvfII0YgYCW6mkyznFbgikhDoWfNcWUEvsJtOCA== =j1ZP -----END PGP PUBLIC KEY BLOCK-----
Please fill out this form or call us at 1-800-656-AERO (1-800-656-2376).
Interested in AeroFS Private Cloud? Get a free trial.