Encryption Guide
At Rest
| Layer | Algorithm | Notes |
|---|---|---|
| Log store | AES-256-GCM (FIPS) | Same |
| Trace store | AES-256-GCM (FIPS) | Same |
| Object store (S3-compatible) | SSE-KMS via AES-256 | Bucket key per tenant |
| Checkpoint inventory | SHA-256 + AES-256 (envelope) | Manifest encrypted |
| Backups | AES-256-GCM | Customer-managed key |
Envelopes:
- Generate a 256-bit DEK per record (or per 24h window for high-volume paths).
- Encrypt the plaintext with the DEK.
- Encrypt the DEK with the customer-managed KMS key.
- Store
{encrypted, kms_ciphertext, iv, aad}together.
In Transit
- TLS 1.3 only.
- mTLS agent↔CP via X.509 with workload identity.
- Inside a cluster, network policies restrict egress to known endpoints.
- The collector enforces
tls_min_version=tls1.3.
KMS Providers
| Provider | Crate | Notes |
|---|---|---|
| GCP KMS | google-cloud-kms | Customer-managed |
| Azure Key Vault | azure_security_keyvault | Customer-managed |
| HashiCorp Vault | vaultrs | Transit engine |
| PKCS#11 HSM | pkcs11 + cryptoki | Air-gapped |
FIPS Mode
Set DENPEX_FIPS=1 to disable:
- Chacha20 (use only AES-GCM).
- RSA-2048 (use only RSA-3072+ for non-PQC).
- Anything that uses libsodium without FIPS-validation.
FIPS mode is enforced at compile time and tested in CI.
Key Rotation
Each DEK has a 24-hour lifetime; the KEK rotates quarterly. The control plane keeps the previous KEK for grace_period_days after rotation so old ciphertexts remain decryptable during migrating windows.