FolderGrid uses a system of dual-governance to fully separate the encryption keys used to secure your content from the encrypted data itself. Not only are the keys and encrypted data physically separated in distinct data centers but those data centers are controlled and operated by wholly separate entities.
Specifically, we store all encryption keys using infrastructure hosted by Atlantic.net - a provider with AICPA SOC 1 and SOC 2 Certified datacenters specializing in secure/compliant hosting. Your fully encrypted data is stored independently on Amazon AWS S3.
Generation & Storage
FolderGrid generates a distinct encryption key for every revision of every file stored on the service. These keys are generated on-demand for encrypting your content as it passes through our encryption grid before being permanently stored by our storage grid. After your file revision has been fully encrypted and stored (which happens in realtime without buffering to ensure your data is never fully reconstituted as plain text after it leaves your control), the associated encryption key is itself encrypted and then stored (encrypted at rest) on our encryption grid.
Each file revision's encryption key is only subsequently decrypted for the purpose of decrypting that same file revision's data in response to an authorized user's download request. Your content is decrypted in blocks of bytes that are immediately pushed downstream - as with the upload this is also accomplished without buffering to ensure your data is never fully decrypted on our platform.
Currently Employed Data Encryption Ciphers
FolderGrid currently uses the Bouncy Castle implementation of AES with a 256 bit length key in conjunction with the PBKDF2 Password-based-Key-Derivative-Function. Each version of every file stored by FolderGrid uses a distinct password and salt.