Encryption & Key Management Policy
Encryption & Key Management Policy
This policy provides guidance to limit encryption to those algorithms that have received
substantial public review and have been proven to work effectively.
Additionally, this policy document provides Reveal encryption standards and best practices to
ensure that Reveal consistently follows industry standards for Encryption and Key Management.
This policy and standard apply to all Reveal employees, contractors, and third-party vendors
when sensitive data, such as customer data, Reveal secrets and PII, are in scope.
Data Encryption Policy
• All sensitive data in transit and at rest must be encrypted using strong, industry-recognized
algorithms.
• Reveal maintains approved encryption algorithm standards. These internal standards are
reviewed and subject to change when significant changes to encryption standards within
the security industry change.
• Reveal will not engage in “roll-your-own” encryption, algorithms, or practices and will not
use “security through obscurity” within production infrastructure or applications.
• All Reveal-owned, employee-utilized computers are to have full disk encryption enabled at
all times, as these devices are expected to interact with Reveal resources, infrastructure
and/or client data while performing Reveal business.
• All Reveal-owned wireless networks, including both corporate and guest networks, are to
encrypt corporate office data in transit using WPA2-AES encryption.
Data in Transit
• The minimum acceptable TLS standard in use by the company is 1.2.
• All Reveal public web properties, applicable infrastructure components and applications
using SSL/TLS, IPSEC and SSH to facilitate the encryption of data in transit over open, public
networks, must have certificates signed by a known, trusted provider.
Reveal Encryption Standards
The CTO is responsible for reviewing all encryption algorithms in use. The use of the Advanced
Encryption Standard (AES) is strongly recommended for symmetric encryption.
Reveal, 26 rue Henry Monnier, 75009 Paris
Encryption & Key Management Policy
Ciphers in use must meet or exceed the set defined as "AES-compatible" or "partially
AES-compatible" according to the IETF/IRTF Cipher Catalog, or the set defined for use in the
United States National Institute of Standards and Technology (NIST) publication FIPS 140-2 , or
any superseding documents according to the date of implementation.
Algorithms in use must meet the standards defined for use in NIST publication FIPS 140-2 or any
superseding document, according to the date of implementation. The use of the RSA and Elliptic
Curve Cryptography (ECC) algorithms is strongly recommended for asymmetric encryption.
Reveal Encryption Key Creation & Storage Standards
Encryption Keys generated, stored, and managed by Reveal
• Cryptographic keys must be generated and stored in a secure manner that prevents loss,
theft, or compromise.
• Key generation must be seeded from an industry standard random number generator
(RNG). For examples, see NIST Annex C: Approved Random Number Generators for FIPS
PUB 140-2.
Auditing
The CTO will verify compliance to this policy through various methods, including but not limited
to code reviews, periodic infrastructure and database reviews, Vanta platform monitoring, and
internal and external audits. Feedback will be provided to the appropriate Reveal team(s) upon
completion of audits and reviews if remediation is required.
Exceptions
Any exception to the policy must be approved by the CTO in advance and placed on a risk
register for monitoring and periodic review.
Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and
including employment termination.
Responsibility
The CTO is responsible for ensuring this policy is followed.
Last updated: 2021-11-03
Reveal, 26 rue Henry Monnier, 75009 Paris
