Firezone employs a few different security controls to keep data secure in transit and at rest.
Overview of Cryptography Used
Below is a table of cryptography used and to which contexts they apply.
|AES-GCM||Data at rest||Used to encrypt sensitive database fields such as device preshared keys and multi-factor authentication secrets.|
|Argon2||Data at rest||Used to hash user passwords for the local authentication method.|
|TLSv1.2/TLSv1.3||Data in transit||Used by the Caddy server to encrypt HTTP connections to the portal. Read more at https://caddyserver.com/docs/caddyfile/directives/tls. SSL certificates are provisioned automatically with the ACME protocol by Let's Encrypt by default.|
|ChaCha20, Poly1305, Curve25519, BLAKE2s, SipHash24, HKDF||Data in transit||Used by WireGuard® for VPN tunnels. Read more at https://wireguard.com/protocol. Firezone uses Linux kernel WireGuard without modification.|
Firezone employs HTTP rate limiting to help limit the effectiveness of brute
force attacks against the web portal. Requests from a single IP are
limited to 5 per second before Firezone responds with an
HTTP 429: Too Many Requests.
We take security issues very seriously and strive to fix all security issues as soon as they're reported.
We'll announce major security issues on our security mailing list located at:
We release security patches for supported versions of Firezone. We recommend running the latest version of Firezone at all times.
Reporting a Vulnerability
Please do not open a Github Issue for security issues you encounter.
Instead, please send an email to
security AT firezone.dev describing the issue
and we'll respond as soon as possible.
You may use the public key below to encrypt emails to
security AT firezone.dev.
You can also find this key at:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.6
Comment: Hostname: pgp.mit.edu
-----END PGP PUBLIC KEY BLOCK-----