Symphony encrypts all messages end-to-end which is an approach demanded by sophisticated, security-sensitive institutions, especially those in financial services.
Unlike conventional cloud-based communications platforms, messages on Symphony’s enterprise offering remain encrypted the full time they are on the cloud and are not visible to Symphony’s cloud servers.
Unlike bring your own key cloud platforms, where customers upload their key to a vendor’s platform making it vulnerable to compromise, Symphony does not have access to the keys or contents. This makes Symphony much more secure than conventional cloud platforms and therefore attractive to institutions that prioritize security.
Symphony uses standard cryptographic algorithms widely trusted in the security community:
- Symmetric: AES-256 in GCM mode, or CBC mode for legacy key rotations.
- Asymmetric: RSA-2048 or higher.
- Hashes: SHA-256 or higher.
- Symmetric Key Derivation: CKM_SHA256_KEY_DERIVATION of the secure seed material, the derivation function specified in NIST SP 800-108 in counter mode of the secure seed material, or the SHA256 hash of the result of an RSA-2048 signature of the secure seed material.
As is normal for end-to-end encrypted applications, Symphony also uses Transport Layer Security (TLS) as an additional layer of protection for data in motion and storage encryption for data at rest, on top of the end-to-end encryption that is applied to all messages and content before they leave the client.
To learn more about Symphony's security practices, refer to the dedicated web page.