How App My Cloud Ensures the Highest Security Standards for Your Cloud Deployments

In today's fast-paced tech world, ensuring the security of sensitive data is paramount. At App My Cloud, we prioritize security as a core feature of our platform, surpassing industry standards to keep your data completely safe. Whether you're a solo developer or a business managing critical cloud infrastructure, we've designed our platform to provide top-tier protection without compromising on convenience or user experience.

End-to-End Encryption: Keeping Your Secrets Secure

At the heart of our security is end-to-end encryption (E2EE) for all sensitive user data, including API credentials and any variables marked as secrets. We call this feature the "Vault." Here's how it works:

  1. Symmetric Encryption: Every time a user saves a secret on App My Cloud, they are prompted to provide a secret password. This password is used to encrypt the data at rest, employing AES GCM encryption, a gold standard in cryptography. Without this password, the encrypted data is entirely unreadable.
  2. User-Controlled Access: Unlike many platforms, we never store your secret password on our servers. The password must be provided during each API call that interacts with the Vault. This ensures that even in the unlikely event of a breach, your sensitive information remains inaccessible without your unique password.
  3. Convenience Meets Security: To make the experience seamless, you don't have to enter your password every time you access the Vault. We've implemented a browser-based mechanism to store the password securely, allowing the platform to auto-use the persisted password without repeatedly asking you for it.
  4. AES GCM Encryption Details:
    • Key Size: 256 bits
    • Nonce Size: 96 bits
    • Tag Size: 128 bits
    • Salt Size: 128 bits
    • PBKDF2 Iterations: 1,000,000 (making brute-force attacks computationally impractical)

This sophisticated encryption system ensures that your sensitive data is safe from unauthorized access, offering a significant security edge over many competitors.

End-to-End Encryption Diagram

Why End-to-End Encryption is a Game Changer

Most platforms today encrypt data in transit or use server-side encryption, meaning they still have access to your decrypted data. With App My Cloud, only you hold the keys to your encrypted Vault data, giving you an unmatched level of control. Even we, the platform operators, cannot decrypt or read your sensitive information.

Password Management: Flexible Yet Secure

One of the key features of our platform is the ability to change your Vault password at any time. When you do, we decrypt all Vault secrets using your old password, re-encrypt them with the new password, and store them back securely. This flexibility ensures that if you suspect your password is compromised, you can immediately reset it without losing any of your data.

However, it's important to note that if you forget your password, your Vault items are permanently lost. While this might seem stringent, it is a necessary trade-off to guarantee complete data security—no one can access your secrets without your password.

Secure Interactions with Cloud Providers

Given the nature of App My Cloud, which interacts directly with cloud providers on your behalf, we have incorporated an additional layer of security:

  • Single Deterministic Egress IP: All communication with cloud providers occurs from a single, known IP address. This allows users to whitelist this IP in their cloud environments, ensuring that only App My Cloud has permission to interact with their resources.
  • Write-Only Vault: When interacting with third-party cloud providers, your secrets (like SSH keys) are securely injected into the deployment process without exposing them. The platform's API does not allow any read access to decrypted secrets. The only time secrets are decrypted is when they are directly used to provision your environments or generate Butane configurations.

Single IP Security Diagram

This structure means that, even during critical operations, your sensitive data remains encrypted and inaccessible to anyone—whether it's App My Cloud, a third-party provider, or a potential attacker.

Going Beyond Industry Standards

Many platforms encrypt data but stop short of adopting true end-to-end encryption. At App My Cloud, we've chosen this secure-by-design approach because of the critical role our platform plays in managing and deploying user applications to production environments. We understand that even a small breach in security—such as exposing an SSH key—can lead to significant harm.

That's why we've built a system where security comes first, even if it means making tough decisions, like not offering password recovery for Vault secrets. By putting these controls in your hands, we minimize the risks associated with storing sensitive information and ensure that you always know exactly who has access to your data: only you.

Cloud Security with Shield

Key Security Takeaways for Our Users

  1. AES GCM encryption with PBKDF2 key derivation ensures your data remains safe, even if your account is compromised.
  2. We never store your Vault password, providing zero access to your secrets, even on the backend.
  3. Interaction with cloud providers is secure, utilizing a write-only mechanism for Vault items and a deterministic IP for all outbound requests.
  4. The platform's security model aligns with the critical demands of modern cloud infrastructure deployment, ensuring your credentials and sensitive data remain shielded.

Conclusion: Leading the Way in Security

At App My Cloud, we go above and beyond to ensure that our users' sensitive data is handled with care, from initial encryption to secure cloud interactions. With end-to-end encryption, password-controlled Vault access, and a strong focus on secure cloud operations, we are not just meeting industry standards—we're setting new ones.

Your data is safe with us, and that's a guarantee.