Authentication with Control Room
When a Bot Creator or Bot Runner tries to connect to Control Room, the credentials are encrypted using RSA (2048 bits key length) and then transmitted on top of the existing layer of Transport Layer Security (TLS).
This extra layer of message level encryption provides protection against network stack issues (such as Heartbleed where OpenSSL was leaking sensitive data from memory) and also adds protection to the last hop of the connection when TLS is terminated at the load balancer. These credentials are decrypted by Control Room and authenticated against the hashed (PBKDF2 and HMAC SHA512 algorithm) user passwords or against Active Directory via Lightweight Directory Access Protocol (LDAP).
Field level encryption is added within TLS connections for passwords.