This guide provides security hardening recommendations for Psono deployments. Covers encryption, authentication, access control, audit logging, compliance, and production security best practices for Linux DevOps teams.
Latest Security Audit: Cure53 (March 2025) | Certification: ISO 27001 (September 2025)
Psono employs a multi-level encryption architecture with defense-in-depth security controls:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Security Layers β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Layer 1: Client-Side Encryption (Browser/App) β
β Layer 2: End-to-End Encryption (Sharing) β
β Layer 3: Transport Encryption (TLS/SSL) β
β Layer 4: Storage Encryption (Database) β
β Layer 5: Network Security (Firewall, Isolation) β
β Layer 6: Access Control (Authentication, Authorization) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
| Aspect | Details |
|---|---|
| Auditor | Cure53 (renowned cybersecurity firm) |
| Duration | 12 days |
| Team Size | 5 security researchers |
| Scope | Browser addons (Chrome, Firefox, Edge), Backend API, Source code |
| Type | White-box penetration test + source code audit |
| Severity | Count | Status |
|---|---|---|
| Critical | 0 | β None found |
| High | 1 | β Fixed & verified |
| Medium | 3 | β Fixed & verified |
| Low/Misc | 4 | β Fixed & verified |
| Total | 8 | β All resolved |
Report: Security Audit 2025 - Cure53
| Year | Auditor | Focus | Result |
|---|---|---|---|
| 2024 | X41 D-Sec GmbH | Cryptography audit | β Passed |
| 2023 | Trovent | Full penetration test | β Passed |
| 2022 | Linkspirit | Security assessment | β Passed |
Certified: September 2025
Psono (esaqa GmbH) achieved ISO 27001 certification for information security management, demonstrating commitment to security best practices and continuous improvement.
| Layer | Technology | Purpose |
|---|---|---|
| Client-Side | PyNaCl (libsodium) | Encrypt before transmission |
| End-to-End | AES-256-GCM | Secure sharing between users |
| Transport | TLS 1.3 | Network communication |
| Storage | Database encryption | Data at rest |
Encryption:
Algorithm: AES-256-GCM
Key_Derivation: PBKDF2-SHA256
Key_Length: 256 bits
Salt_Length: 128 bits
IV_Length: 96 bits
Key_Exchange:
Algorithm: ECDH (Elliptic Curve Diffie-Hellman)
Curve: Curve25519
Hashing:
Algorithm: Argon2id
Memory: 64 MB
Iterations: 3
Parallelism: 4
Key_Hierarchy:
- Master_Key: User-derived (password + salt)
- Encryption_Key: Protects secret data
- Sharing_Key: Enables secure sharing
- API_Key: Programmatic access
Key_Rotation:
User_Password_Change: Automatic re-encryption
Periodic_Rotation: Recommended every 90 days
Emergency_Rotation: Documented procedure
# Recommended password settings
Password_Policy:
Minimum_Length: 12
Require_Uppercase: true
Require_Lowercase: true
Require_Numbers: true
Require_Special_Chars: true
Max_Age_Days: 90
History_Count: 12 # Prevent reuse of last 12 passwords
Lockout_Threshold: 5 # Failed attempts before lockout
Lockout_Duration: 300 # Seconds (5 minutes)
# Enable and enforce 2FA
MFA:
Enabled: true
Required_For_Admins: true
Required_For_All_Users: false # Consider enabling
Supported_Methods:
- TOTP (Google Authenticator, Authy)
- U2F/FIDO2 (YubiKey, security keys)
- WebAuthn/Passkeys (v14+)
Backup_Codes:
Enabled: true
Count: 10
Single_Use: true
# Session configuration
Session:
Cookie_Secure: true # HTTPS only
Cookie_HttpOnly: true # No JavaScript access
Cookie_SameSite: Lax # CSRF protection
Timeout_Minutes: 30 # Idle timeout
Absolute_Max_Age: 1209600 # 2 weeks (seconds)
Concurrent_Sessions: 5 # Max per user
# Recommended role structure
Roles:
Super_Admin:
Description: Full system access
Count: 2-3 # Minimum for redundancy
MFA_Required: true
Admin:
Description: User and group management
Count: Limited
MFA_Required: true
Group_Admin:
Description: Manage specific groups
Count: As needed
MFA_Required: true
User:
Description: Standard user access
Count: All users
MFA_Required: recommended
| Action | Super Admin | Admin | Group Admin | User |
|---|---|---|---|---|
| Create users | β | β | β | β |
| Delete users | β | β | β | β |
| Manage groups | β | β | β (own) | β |
| Create secrets | β | β | β | β |
| Share secrets | β | β | β (own group) | β (own) |
| View audit logs | β | β | β (own group) | β |
| System config | β | β | β | β |
| API key mgmt | β | β | β | β (own) |
# Emergency access procedure
Emergency_Access:
Accounts: 2 # Minimum break-glass accounts
Credentials:
Storage: Physical safe or HSM
Access_Log: Required
Rotation: Every 90 days or after use
Procedure:
1. Document reason for emergency access
2. Retrieve credentials from secure storage
3. Use account for required actions only
4. Change credentials immediately after use
5. Document all actions taken
6. Notify security team within 24 hours
# UFW configuration (Debian/Ubuntu)
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH (consider changing port)
sudo ufw allow 22/tcp comment 'SSH'
# Allow HTTP/HTTPS
sudo ufw allow 80/tcp comment 'HTTP (redirect)'
sudo ufw allow 443/tcp comment 'HTTPS'
# Enable firewall
sudo ufw enable
sudo ufw status verbose
# /etc/nginx/nginx.conf
http {
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# Hide server version
server_tokens off;
# Rate limiting
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
server {
listen 443 ssl http2;
# Modern TLS configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
# ... rest of configuration
}
}
# Docker network configuration
Network:
Type: Bridge (isolated)
Subnet: 172.28.0.0/16
Services:
Psono_Server:
Exposed_Ports: None (internal only)
Accessible_By: Nginx only
PostgreSQL:
Exposed_Ports: None (internal only)
Accessible_By: Psono server only
Redis:
Exposed_Ports: None (internal only)
Accessible_By: Psono server only
Nginx:
Exposed_Ports: 80, 443
Accessible_By: Public
# docker-compose.yml security settings
services:
psono-server:
security_opt:
- no-new-privileges:true
read_only: true
tmpfs:
- /tmp
- /run
cap_drop:
- ALL
cap_add:
- NET_BIND_SERVICE
user: "1000:1000" # Non-root user
postgres:
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
user: "999:999" # postgres user
# Use specific version tags (not 'latest' in production)
image: psono/psono-server:15.1
# Verify image signatures
docker trust inspect psono/psono-server:15.1
# Scan for vulnerabilities
docker scan psono/psono-server:15.1
# Prevent DoS via resource exhaustion
deploy:
resources:
limits:
cpus: '2.0'
memory: 2G
reservations:
cpus: '0.5'
memory: 512M
# Enable logging
Logging:
Level: INFO # DEBUG for troubleshooting
Format: JSON # For SIEM integration
Events_To_Log:
- Authentication_Success
- Authentication_Failure
- Authorization_Failure
- Secret_Create
- Secret_Read
- Secret_Update
- Secret_Delete
- Secret_Share
- User_Create
- User_Delete
- Permission_Change
- Configuration_Change
- API_Key_Use
- Export_Operation
# Centralized logging setup
Log_Aggregation:
Method: Syslog or JSON file
Destination: SIEM (Splunk, ELK, Graylog)
Retention: 365 days # Compliance requirement
Example_ELASTICSEARCH:
Host: elasticsearch.example.com
Port: 9200
Index: psono-logs
SSL: true
# Security alerts
Alerts:
- Name: Multiple_Failed_Logins
Condition: failed_login_count > 5 within 5 minutes
Action: Block IP, notify admin
- Name: Privilege_Escalation_Attempt
Condition: unauthorized_admin_access
Action: Block user, notify security team
- Name: Mass_Export_Detected
Condition: export_count > 100 within 1 hour
Action: Notify admin, require approval
- Name: Off_Hours_Access
Condition: admin_login outside business_hours
Action: Notify security team
# Secure backup configuration
Backup:
Encryption:
Enabled: true
Algorithm: AES-256-GCM
Key_Storage: HSM or secure vault
Storage:
Location: Off-site or cloud storage
Access: Restricted (need-to-know)
Retention: 90 days minimum
Integrity:
Checksum: SHA-256
Verification: After each backup
| Requirement | Psono Implementation |
|---|---|
| Data Minimization | Only essential data stored |
| Purpose Limitation | Clear data usage policies |
| Accuracy | User-managed data |
| Storage Limitation | Configurable retention |
| Integrity & Confidentiality | Multi-level encryption |
| Accountability | Audit logging enabled |
Psono can support HIPAA compliance when properly configured:
Note: Consult legal/compliance team for specific requirements.
Psonoβs security controls align with SOC 2 Type II requirements:
| Resource | URL |
|---|---|
| Psono Documentation | https://doc.psono.com/ |
| Security Audit 2025 (Cure53) | https://psono.com/upload/security-audit-2025-cure53.pdf |
| Security Audit 2024 (X41) | https://psono.com/blog/security-audit-2024 |
| ISO 27001 Announcement | https://psono.com/blog/iso-27001-certification |
| Psono Security Blog | https://psono.com/blog |
| Tool | Purpose |
|---|---|
| SSL Labs | TLS configuration testing |
| Mozilla Observatory | Security header analysis |
| Docker Scan | Container vulnerability scanning |
| Fail2ban | Intrusion prevention |
| OSSEC/Wazuh | Host-based intrusion detection |
Any questions?
Feel free to contact us. Find all contact information on our contact page.