← Back to reference

Encryption Guide

At Rest

LayerAlgorithmNotes
Log storeAES-256-GCM (FIPS)Same
Trace storeAES-256-GCM (FIPS)Same
Object store (S3-compatible)SSE-KMS via AES-256Bucket key per tenant
Checkpoint inventorySHA-256 + AES-256 (envelope)Manifest encrypted
BackupsAES-256-GCMCustomer-managed key

Envelopes:

  1. Generate a 256-bit DEK per record (or per 24h window for high-volume paths).
  2. Encrypt the plaintext with the DEK.
  3. Encrypt the DEK with the customer-managed KMS key.
  4. Store {encrypted, kms_ciphertext, iv, aad} together.

In Transit

  • TLS 1.3 only.
  • mTLS agent↔CP via X.509 with workload identity.
  • Inside a cluster, network policies restrict egress to known endpoints.
  • The collector enforces tls_min_version=tls1.3.

KMS Providers

ProviderCrateNotes
GCP KMSgoogle-cloud-kmsCustomer-managed
Azure Key Vaultazure_security_keyvaultCustomer-managed
HashiCorp VaultvaultrsTransit engine
PKCS#11 HSMpkcs11 + cryptokiAir-gapped

FIPS Mode

Set DENPEX_FIPS=1 to disable:

  • Chacha20 (use only AES-GCM).
  • RSA-2048 (use only RSA-3072+ for non-PQC).
  • Anything that uses libsodium without FIPS-validation.

FIPS mode is enforced at compile time and tested in CI.

Key Rotation

Each DEK has a 24-hour lifetime; the KEK rotates quarterly. The control plane keeps the previous KEK for grace_period_days after rotation so old ciphertexts remain decryptable during migrating windows.