Data Encryption, Storage, and Retention
This article explains how Invicti Enterprise encrypts and stores data and shows you how to configure the retention period for raw scan files and scan data.
Encryption and data storage
Invicti Enterprise On-Premises
Invicti Enterprise On-Premises encrypts and decrypts sensitive data by using AES encryption. For encryption, Invicti Enterprise uses a secret key that is randomly generated during a new installation (since v2.2). You are prompted to download and store your secret key during installation, as you cannot access this key again in Invicti Enterprise On-Premises. For more information, including how to generate a new secret key, refer to Encryption Settings.
Invicti Enterprise On-Demand
Invicti Enterprise On-Demand utilizes the following security measures:
- Data transfers, data at rest, and backups are encrypted with TLS 1.2, SSL certificates and 256-Bit AES.
- Secure data disposal procedures, including but not limited to using secure erase commands, degaussing, and crypto shredding of data when required. Invicti Enterprise’s procedures follow industry standards, such as NIST 800-88 or ISO 27001 recommendations.
- User account passwords are stored as salted hash values as defined in RFC 2898. PBKDF2 with HMAC-SHA256 is used as the hashing algorithm, and the salt length is 128-bit.
- AWS S3 buckets use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3).
Retention policies
One of the ways to control accumulated data in Invicti Enterprise is to set an expiry date for data. There are two different retention policies in Invicti Enterprise:
- Raw scan files created by the Agent
- Deletion of this information does not affect future scheduled scans or the reports displayed in the web application.
- Deletion of this information implies that you will no longer be able to download scan data via the UI, but the reports, reported vulnerabilities, and ancillary information will still be shown.
- Scan data related to a scan
- Deletion of this data will remove any data related to the scan from the web application database and from the Agent machine.
- Reports, reported vulnerabilities, and indeed any information related to the scan will no longer be available.
How to configure data retention for raw scan files or scan data
- Select Settings > General from the left-side menu.
- In the Data Retention Settings section, enable the checkbox next to:
- Configure retention period for raw scan files
- Configure retention period for scan data
This will expose the slider control to specify the desired retention period.
- Click and drag the slider to adjust the retention period(s) according to your preference.
- Click Save at the bottom of the page.
The data retention period you specified is now set.