Can you further explain the encryption process and where encryption keys are stored?

Add-on:
Security and Encryption for Confluence Cloud
Question:
Can you further explain the encryption process and where encryption keys are stored?
Answer:

To break this down:

Q. Could you please explain the encryption process?
A. During Secret creation, a PGP (ECC) key pair is generated and used to encrypt the Secret created in the Secret creator's browser. The PGP keys are then protected with AES encryption before being stored on Security & Encryption's database (external) without the passphrase. The passphrase and the encrypted Secret are stored on Confluence Cloud as custom content with restrictions applied.


Q. Where are the PGP encryption keys stored?
A.  The PGP key pairs are encrypted and stored in the app’s database, outside of Confluence. The passphrase to decrypt is encrypted and stored in a separate location in Confluence Cloud.


Q. Is there a way for Confluence admins to decrypt the data?

AConfluence admins have no access to the PGP keys stored in our app’s database. They will not be able to decrypt any Secret content without these keys. Conversely, ServiceRocket cannot decrypt the encrypted PGP key without the passphrase stored on Confluence, even though ServiceRocket is the app’s database administrator.