NOTE: You are viewing documentation for the MoovJS/Adapt version of the Moovweb SDK
View documentation for next-gen Moovweb XDN & PWA framework
Moovweb | Security
Menu Developer Moovweb University

Security

Sharing Private Data with Moovweb

Moovweb considers the protection of our customer’s private data — especially personally-identifiable information (PII), private keys, secrets, etc. — to be one of our most important responsibilities. As such, we employ a number of security best practices when such private data must change hands.

One method we use to ensure the integrity/authenticity of private data is to require data be signed and encrypted using PGP.

Required Tools

In order to sign/encrypt your data, you will need:

  • GnuPG — For a comprehensive list of available distributions/packages, go to the GnuPG download page. However, if you’re a Mac user, we recommend installing GPG Tools.

  • Keybase - Grab the installer for your operating system on the Keybase download page.

Without a Keybase account, you are limited to encryption only. In order to sign the encrypted output, you will need to sign up for a free Keybase account. We recommend doing so, as a cryptographic signature helps the recipient ensure integrity/authenticity of the encrypted data.

Our PGP Public Keys

The following are the public keys which belong to our Platform Engineering and Site Reliability Engineering team members:

Encrypting & Signing Data

Using Keybase (Recommended)

Use the following command to encrypt a file (in this example: key.pem) for the Keybase user “jdelsman”, sign it using your PGP secret key, and save the output to another file:

keybase pgp encrypt jdelsman \
  --no-self \
  --infile key.pem \
  --outfile key.pem.asc \
  --sign
Using GPG & cURL

If you have GnuPG and your public/secret keyring is set up already, you may opt to fetch an engineer’s public key using cURL and import it to your keyring:

curl https://keybase.io/glennonng/key.asc | gpg --import

gpg: key 667303BF4CCCBFCA: public key "Glennon Ng <glennon.ng@moovweb.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Once you’ve imported the key, you can run any gpg commands you’d like. To encrypt/sign a file using the newly imported key:

gpg --encrypt --sign --armor -r 667303BF4CCCBFCA -o key.pem.asc key.pem

Sending Encrypted Data to Moovweb

Once the file(s) are signed and encrypted, please e-mail them directly to support@moovweb.com. Be sure to include the name of the engineer whose public key you encrypted the data for in either the subject line or the body of the message, and add the encrypted files as attachments.

Once we receive the data, our system will send you a confirmation along with a ticket ID. Also, you can reference this ticket ID with your engagement manager.