Data encryption

Who gets it

Data encryption in transit is automatically included in all New Relic subscriptions.

What data is encrypted

Encryption in transit applies to our agents and APIs. This also applies to any third-party telemetry sources that use TLS with New Relic, such as Prometheus OpenMetrics and other integrations.

How it works

Uses industry-standard transport layer security (TLS). Our preferred protocol for all domains is TLS 1.2. For more information about data transmission, firewalls, hosting, and storage, see our data security documentation.

Who gets it

Free for all New Relic customers where data is stored in Amazon AWS.

What data is encrypted

This encryption protects the physical disk where New Relic retains your data, including the following:

• Log management data

• Dimensional metrics data

  As we implement encryption at rest for additional telemetry types, your data will be encrypted automatically with no additional steps required by you.

How it works

New Relic uses Amazon AWS non-volatile, memory express SSD instance store volumes for disk-level data encryption at rest. The data on each instance storage device is encrypted using an XTS-AES-256 block cipher implemented in a hardware module on the instance.

Encryption keys are generated using the hardware module and are unique to each instance storage device. All encryption keys are destroyed when the instance stops or terminates, and they cannot be recovered.

As additional security measures:

• Disk-level encryption cannot be disabled.
• External encryption keys cannot be provided.

Who gets it

Account-level data encryption depends on your New Relic subscription and your account hierarchy. For example, if your data is encrypted at the parent account level, your child account data also is automatically encrypted at rest.

Available for:

• Government agencies

• Regulated industries, such as financial institutions and healthcare

• Other organizations that have heightened data protection needs or require compliance with PCI, HIPAA, or FedRAMP

  Account-level data encryption is available for approved customers. For more information, or to request account-level encryption, contact your New Relic account representative.

  Approved customers must send their data to New Relic's FedRAMP compliant endpoints.

What data is encrypted

Account-level encryption includes:

• Log management data
• Dimensional metrics used by Telemetry SDKs, Metric API, some integrations
• Events
• Distributed traces
• Backups for all data with account-level encryption

How it works

Master key:

>Key management is performed outside New Relic's database with a FIPS 140-2 certified library using AES-GCM with 256-bit keys. The FIPS-certified Key Management System (KMS) rotates annually for each per-environment master key. The master key is generated inside a hardware security module (HSM) that is not exposed or stored externally.

Data encryption key:

Data files are encrypted with an account-specific data encryption key (DEK) generated on our hosts and rotated daily. The data encryption key is sent to the KMS to be encrypted (wrapped) by the master key, and the wrapped data encryption key is stored along with the data file.

Process:

Before reading a file, a host must first send the wrapped data encryption key to the KMS to be decrypted. To improve performance, an unwrapped data encryption key is cached temporarily on the host. For more information, see our documentation about key management for encryption at rest.