Security FAQ for Credential Stores in Orchestrator

Issue Description:

Security FAQ for Credential Stores in Orchestrator

Resolution:

Here is a collection of related encryption FAQs for Credential stores in Orchestrator:

1. Are Orchestrator Credential Assets encrypted? If yes, what is the encryption level?

• It is encrypted in transit HTTPS - TLS 1.2 and at rest AES 256.
  Credentials stored in UiPath Orchestrator are encrypted using AES (Advanced Encryption Standard) with a 256-bit key. This is a widely recognized encryption standard that provides a high level of security. The encryption keys are managed securely and are not directly accessible. UiPath also enforces encryption in transit. All communications inbound to the UiPath Platform services and products require at least TLS 1.2.

2. Where is the encryption key used to encrypt Orchestrator Credential Asset stored?

• Encryption Key is stored in Azure Key Vault.

3. How the encryption key is secured and who (applications/users/organizations) can access it? (Consider On-Prem installations as well as UiPath Cloud Orchestrator instances)

• For On-premise instances, customers control the encryption keys. For Automation Cloud, we manage with Azure Key Vault and PIM as described in our SOC2 type2 report.

4. When a Robots requests a Orchestrator Credential Asset, where does decryption take place? (Consider Orchestrator Database as well as CyberArk Vault)

• Decryption is when the credential is requested as an app call as an automated function of the backend code

5. While transferring value of Orchestrator Credential Asset to Bot, is it encrypted? What is the encryption level?

• UiPath enforces encryption in transit. All communications inbound to the UiPath Platform services and products require at least TLS 1.2.