UserLock Documentation
UserLock Documentation
You are here: Reference > Advanced > Security


Communication encryption

Between UserLock agents (all except macOS) and the UserLock service and between UserLock consoles (Desktop, web, UserLockPowerShell, UserLockAPI) and the UserLock service:

The Microsoft AES Cryptographic Provider is used.

For key exchange: "RSA public key exchange" algorithm, with a key length of 1024 bits.

For symmetric encryption: "AES block encryption" algorithm, with a key length of 128 bits.

Between the macOS UserLock agent and the UserLock service:

For key exchange: standard elliptic curves are used: Elliptic-curve Diffie–Hellman (ECDH) 521-bit, 384-bit, 256-bit.

For the UserLock service, private keys exist only during the current execution.

For the agent, new private keys are created for each connection.

The actual key is derived using the SHA hash on the previously calculated key (SHA-384 or SHA-256).

For symmetric encryption: AES in CBC mode, with a key length depending on the SHA hash used: 256 bits with SHA-384, 128 bits with SHA-256.

On Windows, the CNG API is used. On macOS, OpenSSL is used, but currently without FIPS module.

Password storage

On the server, the UserLock service stores passwords with DPAPI. Only the UserLock service account (NETWORK_SERVICE) can decrypt passwords.