Feature Request: Client Side Encryption

[deepal]

Hi, I am using postman for a long time and I would appreciate if I can encrypt sync data (postman requests, environments, authorization credentials etc.) from the client side. This way I can make sure my sync data is more secure rather than relying on server side encryption.

[dekz]

We are also not using sync for a similar reason.

Alternatively, we would prefer to self host our collections (security and version control reasons), having support in the Run Button from this as well (more so than just environments).

[boblindman]

Add me as a requestor as well. Any chance we will see this soon? Or at least the ability exclude environments from the sync?

[nathanboktae]

Yes, Paw has this support and Postman should too otherwise a lot of business will be lost to it.

[mahlzeit]

That would be super important to out company, too.

[maxmarkus]

@godfrzero mentioned at slack: Environments are never synced in plaintext though. They're encrypted before being stored on the server.

Official security page says: Customer data, depending upon its sensitivity classification, is also AES-256-GCM encrypted at the application layer before storage.

Question is what means this Application layer exactly?

[nathanboktae]

The point of client-side encryption is that we don't have to trust you to manage the keys properly, because you don't have them.

[mahlzeit]

@nathanboktae exactly. @maxmarkus & @godfrzero yep. Same for "depending its sensitivity classification" - could need some clarification, too.

[ghost]

Same here. I don't want to sync as the data can be confidential. A way to set a password for and use it to encrypt at the client side before syncing would be ideal. Or you could provide some container (part of postman enterprise or something) which I can put on a private cloud, point the URL to sync it?

[sdnts]

Guys, client side encryption is on our radar. I'll let you guys know here when we have something

[joseph4tw]

Does anyone know if there has been any movement on this?

[stokito]

Hi @madebysid do you have any update on this? As for me it would be good feature for enterprise license. You can allow for example, few envs for free and any additional can be paid. Now we cant use postman in our company because for strict security reasons our creds should never be transmitted to internet.

[nathanboktae]

Now we cant use postman in our company because for strict security reasons our creds should never be transmitted to internet.

That is not strict, it's reasonable and should be the policy of every company. It was that way when I was at my last < 10 person startup. This feature is a deal breaker for corporate usage, period. I have no idea why it's not being worked on immediately.

[FreeWillaert]

any update on this? this is also blocking us from using Postman in many scenarios

[v0rts]

Now we cant use postman in our company because for strict security reasons our creds should never be transmitted to internet.

That is not strict, it's reasonable and should be the policy of every company. It was that way when I was at my last < 10 person startup. This feature is a deal breaker for corporate usage, period. I have no idea why it's not being worked on immediately.

Very much a deal breaker where I work, a shame too, would be so helpful.

[a85]

Folks. We just released this notion of sessions which are local to the Postman app and even if you are signed in, variable values (creds, passwords) don't ever have to hit our servers. More details here: http://blog.getpostman.com/2018/08/09/sessions-faq/