Data encryption

Whether your data is in transit to New Relic or at rest in our storage, New Relic applies strong encryption measures to help prevent unauthorized access, threats, or theft. This includes FIPS 140-2 compliance as well as security accreditation for the Federal Risk and Authorization Management Program (FedRAMP).

New Relic is authorized for Low Impact SaaS Services (FedRAMP Authorized Low) for accounts that meet specific criteria. As a cloud service provider, we are committed to ensuring our compliance with FedRAMP's requirements for the confidentiality, integrity, and accessibility of your data.

This document describes our data encryption methods, including who gets it, what data is encrypted, and how it works. For more information, see our security documentation and Security website, or contact your account representative.

Encryption in transit

All New Relic customers benefit from the security provided with data encryption in transit. TLS is required for all domains.

Encryption in transit Comments
Who gets it

Data encryption in transit is automatically included in all New Relic subscriptions.

What data is encrypted

Encryption in transit applies to our agents and APIs. This also applies to any third-party telemetry sources that use TLS with New Relic, such as Prometheus OpenMetrics and other integrations.

How it works

Uses industry-standard transport layer security (TLS). Additionally, our APM agents enable SSL by default. For more information about data transmission, firewalls, hosting, and storage, see our data security documentation.

Disk encryption

New Relic's disk-based encryption provides additional security while your data is at rest (FIPS 140-2 compliant).

Disk-level encryption at rest Comments
Who gets it

Free for all New Relic customers where data is stored in Amazon AWS.

What data is encrypted

This encryption protects the physical disk where New Relic retains your data, including the following:

As we implement encryption at rest for additional telemetry types, your data will be encrypted automatically with no additional steps required by you.

How it works

New Relic uses Amazon AWS non-volatile, memory express SSD instance store volumes for disk-level data encryption at rest. The data on each instance storage device is encrypted using an XTS-AES-256 block cipher implemented in a hardware module on the instance.

Encryption keys are generated using the hardware module and are unique to each instance storage device. All encryption keys are destroyed when the instance stops or terminates, and they cannot be recovered.

As additional security measures:

  • Disk-level encryption cannot be disabled.
  • External encryption keys cannot be provided.

Account-level encryption

New Relic's account-level encryption at rest allows approved New Relic customers to benefit from even higher levels of security (FIPS 140-2 and FedRAMP Low compliant).

Account-level encryption at rest Comments
Who gets it

Account-level data encryption depends on your New Relic subscription and your account hierarchy. For example, if your data is encrypted at the master account level, your sub-account data also is automatically encrypted at rest.

Available for:

  • Government agencies
  • Regulated industries, such as financial institutions and healthcare
  • Other organizations that have heightened data protection needs or require compliance with PCI, HIPAA, or FedRAMP

Account-level data encryption is free for approved customers. For more information, or to request account-level encryption, contact your New Relic account representative.

What data is encrypted

Account-level encryption includes:

How it works

Master key:

Key management is performed outside New Relic's database with a FIPS 140-2 certified library using AES-GCM with 256-bit keys. The FIPS-certified Key Management System (KMS) rotates annually for each per-environment master key. The master key is generated inside a hardware security module (HSM) that is not exposed or stored externally.

Data encryption key:

Data files are encrypted with an account-specific data encryption key (DEK) generated on our hosts and rotated daily. The data encryption key is sent to the KMS to be encrypted (wrapped) by the master key, and the wrapped data encryption key is stored along with the data file.

Process:

Before reading a file, a host must first send the wrapped data encryption key to the KMS to be decrypted. To improve performance, an unwrapped data encryption key is cached temporarily on the host.

For more help

Recommendations for learning more: