Camio encrypts data for both transmission and storage. People familiar with the technical details of securing systems may also want to know who has access to the keys and how those keys are supplied to the subsystems doing the encryption.
- the keys for application-specific cryptography are encrypted and accessible only via TLS/HTTPS to the machine that deploys virtual servers (i.e. only the deployment engineer has the keys; they're not accessible to developers, and developers cannot deploy to production servers)
- the keys for encrypted cloud storage are managed server-side by Google, who manages the cryptographic keys on our behalf using the same hardened key management systems that they use for their own encrypted data, including strict key access controls and auditing. Each Cloud Storage object's data and metadata is encrypted under the 256-bit Advanced Encryption Standard, and each encryption key is itself encrypted with a regularly rotated set of master keys. (See https://cloud.google.com/security/encryption-at-rest/default-encryption/)
- all communications over public networks and over private networks between datacenters use TLS 1.3 / HTTPS encryption.