Security Hardening — End-to-End Encryption, Agent Protection, and Certificate Security

June 2025

Security is the foundation of GrantFlow. Over the past several months, we have shipped a series of security hardening improvements that strengthen protection at every layer — from browser to backend to on-premises agent.

End-to-End Encrypted Password Reveal

Account passwords stored in GrantFlow are now protected with a multi-layer encryption scheme:

  • At rest — Passwords are encrypted using Azure Key Vault managed keys
  • In transit — The password reveal flow uses end-to-end encryption with ephemeral key pairs generated in the browser. The private key never leaves your browser, so even intercepted network traffic would be useless to an attacker.
  • In memory — Sensitive values are encrypted with per-entry keys while held in memory

Agent Certificate Protection

On-premises Active Directory agents now protect their identity certificates with platform-native security mechanisms:

  • On Windows, private keys are encrypted using the agent service account's credentials and restricted with file system permissions so only the agent process can access them
  • On Linux, equivalent file permission restrictions are enforced

This prevents other processes or users on the agent host from accessing the agent's identity certificates.

Encrypted Enrollment Tokens

The agent enrollment flow now uses end-to-end encrypted tokens:

  • Enrollment tokens are encrypted before storage
  • Single-use tokens are cryptographically hashed after first use, preventing replay attacks
  • The enrollment service validates token authenticity before issuing certificates

Message-Level Encryption

Beyond transport-layer encryption, GrantFlow now applies message-level encryption to sensitive job payloads. This provides defense-in-depth: even if transport security were compromised, job data containing passwords or sensitive operations remains encrypted with industry-standard authenticated encryption.

What This Means for You

These improvements require no action from administrators — they are automatically applied to all GrantFlow deployments. If you manage on-premises agents, ensure they are updated to the latest version to benefit from certificate protection enhancements.

Read more about our security architecture: