When you connect to a SharePoint site that uses HTTPS, the data transitioning through the ShareGate migration tool will be encrypted.
When you connect to Microsoft 365 your connection is always encrypted. Microsoft also encrypts the data that transitions to Azure when you use Insane mode.
The latest version of the ShareGate migration tool is built with version 4.6.2 of .NET framework. This version supports TLS 1.0 / 1.1 / 1.2 but we strongly suggest at least TLS 1.1 (TLS 1.2 if you can) for your SharePoint on-premises environments.
Note: TLS 1.0 is considered vulnerable and it can cause connectivity issues with some of your sites. SSL 3.0 and RC4 cipher are no longer supported by the .NET framework 4.6. A security vulnerability was identified in the SSL 3.0 protocol that could allow an attacker to decrypt data. For enhanced security, some SharePoint features now disable SSL 3.0 connection encryption by default, as well as certain encryption algorithms with known weaknesses.
SharePoint 2016 supports TLS 1.2 connection encryption by default. When you set up an SSL binding in Internet Information Services (IIS) Manager to host your web application, SharePoint uses TLS 1.2 connection encryption if your client application supports it. SharePoint also supports TLS 1.2 connection encryption when connecting to other systems (for example when crawling websites).
Microsoft 365 connections are always encrypted with HTTPS and TLS 1.2.
Insane mode migrations
When you migrate to a Microsoft 365 destination in Insane mode, your content is sent to an Azure storage before it is sent to your SharePoint destination.
Microsoft uses impressive encryption security for that process. This means that even if an attacker could break into Microsoft facilities to obtain your data (which is highly improbable), the data would be unreadable.
Microsoft Azure uses AES CBC 256 Standard encryption. With AES encryption, both the sender and the receiver of data must have the same key in order to decrypt and read the data.
The key to your storage is provided by a service in your destination tenant. This key will be stored on a local database within your machine for a period of 72 hours and is not viewable unless you download a manifest package with the ShareGate migration tool.
Encryption is done on your content prior to the upload, on the machine running the ShareGate migration tool. The encryption key is then given to the service at the destination.
Once the migration is completed and the data has successfully been uploaded to Microsoft 365, your data is deleted in Azure within one week when you use the default Azure storage included for migrations with your Microsoft 365 subscription.
If you use a custom storage for this process, you must delete the data in your Azure storage account manually.
For the steps to delete the content in your custom Azure storage, see Clear data in your Microsoft Azure storage account.
Note: Your data is encrypted with AES CBC 256 Standard encryption whether you are using the default or custom storage account. We only recommend using your Azure account if you need to have long-term access to your manifest packages.
Security and compliance
You can download our Security and Compliance PDF for an overview of our policies.
The ShareGate migration tool is GDPR (General Data Protection Regulation) compliant.