Client Server Protocols

Glacier communicates with three different types of servers. To transport chat messages, access the directory and to download/upload encrypted media files, HTTPS/TLS is used.

Chat protocol: Transports the end-to-end encrypted incoming and outgoing messages between the client and the Glacier servers over TLS 1.2. User Authentication: The clients initially authenticate to the Glacier systems through an out-of-band authentication server. This data is encrypted in transit with TLS 1.2 and ECDHE. Data within the user authentication servers are encrypted at rest in accordance with industry standards. File Upload: The file upload servers are used for temporary storage of large media data (e.g. images, videos, audio recordings). Such media is not sent directly via the chat protocol.

Glacier encrypts both the boot and data volumes of each Core server. The following types of data are encrypted:

• Data at rest inside the volume
• All data moving between the volume and the instance
• All snapshots and backups created from the volume
• All volumes created from those snapshots and backups

Glacier encrypts each volume with a data key using the industry-standard AES-256 algorithm. The data key is stored on-disk with the encrypted data. Data keys never appear on disk in plaintext. For more advanced configurations, organizations can also provide a customer managed CMK.

Learn more about Amazon Web Services Key Management Service.