Can you further explain the encryption process and where encryption keys are stored?

Purpose

Can you further explain the encryption process and where encryption keys are stored?

Answer

To break this down:

Q. Could you please explain the encryption process?
A. During Secret creation, a PGP (ECC) key pair is generated and used to encrypt the Secret created in the Secret creator's browser. The PGP keys are then protected with AES encryption before being stored on Security & Encryption's database (external) without the passphrase.

Q. Where are the PGP encryption keys stored?
A.  The PGP key pairs are encrypted and stored in the app’s database, outside of Confluence. The passphrase to decrypt is encrypted and stored in a separate location in Confluence Cloud.

Q. Is there a way for Confluence admins to decrypt the data?
A. Confluence admins have no access to the PGP keys stored in our app’s database. They will not be able to decrypt any Secret content without these keys. Conversely, ServiceRocket cannot decrypt the encrypted PGP key without the passphrase stored on Confluence, even though ServiceRocket is the app’s database administrator. However, administrators can take over a user’s account, giving the administrator access to the user’s secret. This is a Confluence feature that is out of our control. For more information, refer to Log in as another user | Atlassian Support.