Encryption and cryptography
By default, all data in Sitecore Content Hub, including files and metadata, is encrypted at rest.
Azure storage accounts have encryption enabled for file and Blob Storage, ensuring all file content, backups, and VM disks are encrypted automatically. Data for Redis and Elasticsearch, stored on these VM disks, is also encrypted.
All data in Azure Storage is encrypted before being saved and decrypted when accessed, using 256-bit AES encryption. Additionally, Content Hub uses Azure Managed Disks, which are automatically encrypted at rest by Azure Storage Service Encryption (SSE).
Encryption in Transit
All communication between the client and the web server is encrypted using SSL. This includes both incoming and outgoing traffic on the web nodes, as well as communication between the application and Azure PaaS services, such as storage accounts and cognitive services.
Email encryption
By default, our system tries to use TLS v1.2 to send emails securely. If the recipient's email server supports TLS v1.2, the email will be delivered over an encrypted connection. Otherwise, the email will be sent over a default unencrypted connection.
Cryptographic hashing for applications
Passwords stored in Content Hub are hashed using the PBKDF2 algorithm.
TLS/SSL encryption
All HTTPS traffic is encrypted using TLS 1.2 or higher.