Identity Mesh Logo Identity Mesh
On-Premises Security

Security You Can Trust

Identity Mesh runs entirely within your network. Your identity data never leaves your infrastructure, protected by DPAPI encryption, Windows Negotiate auth, and comprehensive audit logging.

Contact Sales View Architecture

Security Posture

Built for on-premises deployment with enterprise security at every layer

Identity Mesh is designed as on-premises software that deploys within your own data center or private infrastructure. Your identity data stays entirely within your network — there is no cloud dependency, no external data transfer, and no multi-tenant shared infrastructure. This architecture gives you complete data sovereignty and control over your security posture.

Security Features

Secret Protection (DPAPI + AES-256)

Connection strings, passwords, API keys, and sensitive configuration values are encrypted at rest using Windows DPAPI and resolved at runtime via {{secret:name}} references. Secrets are never stored in plaintext.

  • AES-256 encryption via Windows DPAPI
  • Machine-bound keys (LocalMachine scope)
  • TLS 1.2+ for all connector connections
  • Runtime-only decryption (secrets never in config files)

Access Control

Role-based access control with Windows Negotiate authentication (Kerberos/NTLM) for the Admin UI and API.

  • Role-based access control (RBAC)
  • Windows Negotiate auth (Kerberos/NTLM)
  • Least-privilege principle

Comprehensive Auditing

Every identity operation is logged with full context — before/after values, confidence scores, connector source, and timestamps.

  • Before/after value tracking
  • Run history per connector
  • Admin action logging via API

Encryption Architecture

How Identity Mesh protects secrets at rest and in transit

Secrets at Rest — Windows DPAPI

Identity Mesh uses the Windows Data Protection API (DPAPI) to encrypt all secrets stored in the SQL database. DPAPI is a built-in Windows cryptographic service that provides symmetric encryption without requiring your application to manage encryption keys directly.

How DPAPI Works

  1. AES-256 encryption — DPAPI uses AES-256-CBC (Advanced Encryption Standard with 256-bit keys) as its underlying cipher. This is the same encryption standard used by governments and financial institutions worldwide.
  2. Machine master key — The AES key is derived from the Windows machine's master key, which is itself protected by the machine's DPAPI system key. This key is bound to the specific server where Identity Mesh is installed.
  3. No key management burden — You do not need to generate, rotate, store, or distribute encryption keys. Windows handles key lifecycle automatically through the LSA (Local Security Authority).
  4. Non-exportable — Encrypted secrets cannot be decrypted on a different machine. Even if the SQL database is copied, the secrets remain encrypted and unreadable without the originating server's machine key.

LocalMachine Scope

Identity Mesh encrypts secrets using the LocalMachine scope by default. Any process running on the server can decrypt the secret, but it cannot be decrypted on any other machine. This is the recommended scope for Windows services.

CurrentUser Fallback

When secrets are initially created via the Admin API (running as a service account), they may use CurrentUser scope. The engine automatically attempts CurrentUser first, then falls back to LocalMachine for seamless decryption regardless of scope.

What Gets Encrypted

LDAP bind passwords (Active Directory)
SQL connection string credentials
OAuth client secrets and API keys
Relay agent API keys
Certificate private keys
Any value referenced via {{secret:name}}

Data in Transit

Admin API ↔ Admin Portal — HTTPS (TLS 1.2+) with Windows Negotiate authentication
Engine ↔ Active Directory — LDAP over TLS (LDAPS port 636) or StartTLS on port 389
Engine ↔ SQL Server — TLS-encrypted connections with TrustServerCertificate configurable
Admin API ↔ Relay Agent — HTTPS SignalR with API key authentication (outbound-only from agent)

License Protection

Identity Mesh licenses are cryptographically signed using RSA-4096 with SHA-256 signatures. The public key is embedded in the engine binary, and the license file is verified on every sync cycle. License files cannot be tampered with or forged — any modification invalidates the RSA signature.

On-Premises by Design

Your data never leaves your infrastructure

Windows Service Deployment

Installed as a Windows Service via MSI on your own servers. No cloud infrastructure required.

Your SQL Server Database

All identity data, audit logs, and configuration are stored in your own SQL Server instance.

Air-Gapped Compatible

No outbound internet connections required. The sync engine operates entirely within your network perimeter.

Complete Data Sovereignty

You control where your data resides, how it's backed up, and who has access. No third-party data processing.

Security Documentation

We're happy to share details about our security architecture

Need to evaluate Identity Mesh for your security and compliance requirements? Contact us for an architecture overview, deployment guide, and answers to your security questionnaire.

Request Documentation

Have Security Questions?

Our team is ready to discuss your requirements and answer any questions about our security posture.

Contact Sales View Architecture