AeroFS Security Overview

Security is at the heart of everything we do at AeroFS. This page briefly describes AeroFS's security and cryptography considerations and protocols.

Hybrid Cloud vs Private Cloud

We'd like to take a moment to make the differences between AeroFS's Hybrid Cloud and Private Cloud models as clear as possible before diving into the details.

In the Private Cloud deployment model, absolutely no data or communications should happen with AeroFS servers. Period.

In the Hybrid Cloud deployment model, we do not store any file data on our own servers and strive to reduce the overall amount of communication that happens with our servers, but some communication is still necessary (e.g. for account creation, email notification and so on). These communications are outlined below in detail.

Account Creation

During sign up for both the Hybrid Cloud and the Private Cloud model, we take your password and apply the scrypt key-derivation algorithm with a per-user salt to produce a hard-to-compute shared secret.

We never store your password in plaintext, ever — neither on your machine nor on our servers or the AeroFS Appliance.

Device Setup

When you set up a new client, that client creates a 2048-bit RSA key which never leaves that machine. The key is stored in that user's AeroFS configuration folder (location varies by platform) and is set to be only accessible by the user setting up AeroFS. The client generates a certificate signing request and depending on whether you use the Hybrid Cloud or the Private Cloud deployment, does one of the following:

Hybrid Cloud: Connects to our server over TLS and verifies that the server's certificate is signed by the AeroFS root CA (which is shipped with every client).

Private Cloud: Connects to your AeroFS Appliance over TLS and verifies that the appliance's certificate is signed by the AeroFS Appliance root CA (this CA is unique per AeroFS Appliance deployment and is generated on first boot).

The AeroFS client then provides your username, the certificate signing request, and the scrypt-derived password to the server/appliance, which verifies that the username and scrypt-derived password match. The server/appliance signs the certificate signing request and returns the freshly-minted certificate to the authorized device. This certificate will then be used in various communications.

Device-to-Device Communication

The clients communicate amongst themselves through TLS atop a variety of other transports, including direct TCP over a LAN, and a relay server when direct network connectivity is impossible. In the Hybrid Cloud deployment, this relay server is zephyr.aerofs.com. In the Private Cloud deployment, your AeroFS Appliance acts as a relay server.

Each client has a 2048-bit RSA key and a certificate signed by the AeroFS root CA, as described above in Device Setup. We currently use the DHE-RSA-AES256-SHA ciphersuite, which establishes an AES-256-CBC session between the two peers.

Each client verifies that the other client it is communicating with is:

  1. certified by the AeroFS CA to represent the device and user claimed,

  2. not listed as using a certificate with a serial number revoked by the AeroFS root CA, and

  3. authorized to send and receive information about the relevant shared folder.

All file data and metadata sent between peers is encrypted end-to-end through this TLS channel, so neither network sniffers nor our relay server can see your data.

Device-to-Server/Appliance Communication

Some actions require talking to AeroFS servers (or in the case of the AeroFS Private Cloud deployment, to the AeroFS Appliance). These mostly relate to account preferences, administration of shared folders, and information to help us improve AeroFS.

For these communications, we use connections secured with TLS.

Where possible, we use the same client certificate signed by the AeroFS root CA as used in the peer-to-peer communications to verify identity, but we also have some services where the client identifies itself by presenting a username and password (after verifying the service's identity, of course).

We use strong ciphers and follow best practices for SSL/TLS usage.

Lost or Stolen Devices

We use certificate revocation lists to revoke the certificates for deleted devices. When you unlink or erase a device, we mark the certificate associated with that device as revoked.

We then notify each of your clients–either immediately, or as soon as they come online and reconnect to our push notification service–that the revoked device is no longer to be trusted.

Security Libraries Used

Our implementation uses OpenSSL. We are subscribed to the OpenSSL security advisory mailing list and we update our OpenSSL version promptly when upstream releases security fixes.

Responsible Disclosure

We take all security issues and concerns seriously. If you believe you've found a security problem relating to AeroFS, please get in touch with us at security@aerofs.com

When disclosing security issues to us, we ask that you:

  1. Share the security issue with us in detail.

  2. Give us a reasonable opportunity to address the issue before making any information about it public.

  3. Act in good faith not to degrade the performance of our services (including Denial of Service attacks).

  4. Not violate the privacy of other users.

PGP

All security-related emails from AeroFS will be signed with this PGP key. You're also welcome to use this key to encrypt security related communication emails to us.

Key ID 6E1DC9F9
Key type RSA
Key Size 4096 bit
Fingerprint 1224 692E 7E32 9664
1324 0BFB A3D2 4EC3
6E1D C9F9
User ID AeroFS <security@aerofs.com>
                        
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.0
mQINBFE2SKsBEAC91DjtMEV2mgyB02N69L0eaaCbdS5IGT22Pgijkm26XAH/It4IVLn76t2k
AZS2tV5R7PDfFU3WJqZclseWkoxp+KrSeCOllx0+X4VyP5HX2MDQPOW6fjYcFXep9DvJ+R94
z6Ho6gnvewCxUTswHTw5T0oku8ag8Frobdj9DmnV/B8G4nBnJXGyP9n3eAFdPcGAsfrwAoDa
yeutjqsapPTxF5WSpxY1UIcqI8hBvOAdDsszYjXC3AZdEt7xdm8m9M44L1fWA4iG/DS6frWG
uNQOn6smZUx+RRn40negGwcI3RP871tAFfNkDxhgt+F3gnK9Nqkqrsub4Jyyit4CggJn9x3J
oJjfIkC1rYLqzpaqNngOquZPLxOwpIzjl48Q2xoF3ca8pK4PcxxXae0m+eTu/VShHvvlear2
caHYDRUZzZjv4MdC4ZNg4V3FtOFp6efgN7p5sPTm9eOhG2sHz6/FURCcshBExk7MBi1IBfSB
JMcgic2ksk5wml4B0cs9EFABYOtjphW9gsv4cq/Vj2K/K1JZfm/4JhcsFGbnDLH2dow+Mtvq
oN9oinQfTbKbqkwT83lVHK3t/7Q5zBlLzYuXoV0/0RAgxbpr0xlH1pQJEE9jnoN5gm9KXfnX
XvGV30/BTJVoa4pkxVOdnWlVu7Q6UL5G6JEGiiGMOkExgmmXswARAQABtBxBZXJvRlMgPHNl
Y3VyaXR5QGFlcm9mcy5jb20+iQI4BBMBAgAiBQJRNkirAhsDBgsJCAcDAgYVCAIJCgsEFgID
AQIeAQIXgAAKCRCj0k7Dbh3J+W8PD/9UwGLZIpQcZ6zWzMNeDXH626WpBRb8rw0/2h4Rm55V
9lD7PV/71QVzcdCT0leTVbXkt0952oGc1wxQBUcymJwcEzNWX5nkdWGPWTIJuvXqGBQZaGuo
TYHOhC8c8azJT6L20n3IUiyE3yV1PjyLIV43x0nOvlCcpAQIqkNjkkjoIE/W0XRiQez7hc14
Rg05/3RLUgvC/ZTsQ2rb4pkjc+9Yoarqf6JiLfL2eyLyVmb/hQhh0tOtohpYQFjGju2UbTR7
0ATbP/TZg66bULvrkLRZC0W5DrShIkJ9RPKpA7jd9c5V3sLIhnU4W4ylF1DMYn0wqx/9UwBx
Onx1MqbxRi6fwL13w4LQrc7McnfI0gUJUsZha6qcZ0aROgfdRVoG28Ro7xEAxp4HE85DLqxZ
fN9Q/HcJHFw+Rejc1FTaO3Thf7WWIPOii31vm/7QyNnZA9tLwNqpKGVsPMs6nIdY3LXUjLIr
xS8cfHWBID69beuJtyP3CFulQNk3XBpu4Hgh4eZVCOUyXTUz3PFl2xdE+Y+Cy5U+NVeEfKrv
Xg8FE33oqVYsLsCo2t1q35ENV+Ft7dQZfs11kCpYEiAPKJuhgdTjhMVIYqbXgwL0/dq7d2SP
y76Sr+lmZYSpfDrksKS4TR1O82qYe/3XzHp8tyY5H7/1BP2wl2r+qdw94mxvDjyJdLkCDQRR
NkirARAAv3f88zpVrMky9eHfqamQG8yNh6QWPGONxhGua+FwpN23DFPOzBadTCennQSA/C05
1VBUcbjJivQXsiMiCduSA89uisA5Ez2g1+zMGCMZnOnJIVV8QajG/+QRK3YjZhdV6JtKOSTe
nSJui6Xc+E7fHxbcEIxpNb/FsfkcmG2N86gTvP82DcO3FkTTj8pialS6I/lq7uFKW9Yyh75D
3LQqOADqx9VLgkgvfhihVfuqQtS86Xc8qkZ8V/r0JeEAEO950xsOjCdToOZVQGviOHtlYY1q
StBbi6GjhiPQ74jT7nKn7bWU7NeITZCnUPxabcds/lO1zhwd20SEKxV0KIFW2uNhUxmXOFcY
HNVIn91HiMDy6J335pk5vnUVwPeuVQwhzFX8OXz79wAVlNFZQrlfVmyDxWVTUSnocttLJFAM
M6v2vpHy/7+0FB9bBgcTPSiap5dSAfNhb0gWFfe5SSbjPbcqH0qWOQQlVw/DcXHyaWTBEiJ/
v8aJHF8ZC7kMe3MecIEEjkG6yAoE/1ZXrV/CMVlBUsbBVjL9gFy2AfllJvKGLKODxkPsaSy0
tibuA7U5an0bsNHJyQekaebJEFzZhVOwC1jNZKdWCXcaBTxirXyb+xKLn4rbZKdG3vP++Gi7
7tYaaSKXQ3li4h0DEHnGcPPCjZru9ZqB80jqr2iG3KMAEQEAAYkCHwQYAQIACQUCUTZIqwIb
DAAKCRCj0k7Dbh3J+TGMD/9SnUO9Owozb7fbZG7OYefYPo9My7/hAa06B+7IZiw0p9VHx3ND
ZFK7dDQWRrqLQAhCH7Y7z0eL2wmDf0gVKsSvObkllPVn9QhwW/T/HKpX6eBbbiwJDtmq2pTH
0r7z/LAgcAv1dkQmGoo2aJj0rG122k79ybHyJvqV+v4RHJpqSxnLbYCKa1y3COV2Uqdqpo5Z
TX8j431edNmMXwEStMkCVWfTtbWX0FupZ7ruFtTcOBKjFvQdxGb7M68sCfOlG1M29hP6swpt
AeNpRqHEL+jrJWHCuDjKFvEVsZnahLliNa1gFWNtCY50GBALP26mfcTE+b5u5uUuJ/LRUCH3
y5BfGq5OqhID+6bcZbSYqR2GVWybd3zNydFU8K4qia788Ff9dOuo07OvQGtyvtJK5drWKt+/
oF+8iUIlrs5o86Tvvag/6ZkBG5MNHfcpllBjC4p40uBDrUkD8sQEJZEG04gcluVjKCPO+ilv
es0wbObLnI4yYrsabDCQIPRj65ZEcGkBtEJP3ShcSVt2Xvt/e5SMp02pmCUFIM3KhxEdlEO+
dYTbZFrdD7q/oC5LtSGjbeMN+D/RtBdyMkVdAfO8f/Jd+6GplvMPxmxEQeVCRGHyUAsgclQ7
eMCtixwIrHQsE2I4h7OHvfII0YgYCW6mkyznFbgikhDoWfNcWUEvsJtOCA==
=j1ZP
-----END PGP PUBLIC KEY BLOCK-----

                        
                    

50,000+

happy customers

2,000+

organizations

5

minutes to deploy