How we store your credentials for Azure DevOps Services
Azure DevOps Services
Important
Azure DevOps doesn't support Alternate Credentials authentication. If you're still using Alternate Credentials, we strongly encourage you to switch to a more secure authentication method.
Credential security
Microsoft is committed to ensuring that your projects remain safe and secure, without exception. In Azure DevOps, your projects benefit from multiple layers of security and governance technologies, operational practices, and compliance policies. We enforce data privacy and integrity both at rest and in transit. In addition, we adhere to the following practices with respect to the credentials or secrets that Azure DevOps stores. To learn more about how to choose the right authentication mechanism, see Guidance for authentication.
Personal access tokens (PATs)
- We store a hash of the PAT
- Raw PAT is generated in-memory on the server side as 32 bytes randomly generated through RNGCryptoServiceProvider then shared with the caller as a base-32-encoded string. This value is NOT stored
- PAT hash is generated in-memory on the server side as an HMACSHA256Hash of the raw PAT using a 64-byte symmetric signing key stored in our key vault
- Hash is stored in our database
Secure shell (SSH) keys
- We store a hash of the enclosing organization ID and the SSH public key
- Raw public key is provided directly by the caller over SSL
- SSH hash is generated in-memory on the server side as an HMACSHA256Hash of the organization ID and raw public key using a 64-byte symmetric signing key stored in our key vault
- Hash is stored in our database
OAuth credentials (JWTs)
- These are issued as fully self-describing JSON web tokens (JWTs) and are NOT stored in our service
- The claims in JWTs issued and presented to our service are validated using a certificate stored in our key vault
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for