Encryption
Azotte employs enterprise-grade encryption to protect sensitive data at rest, in transit, and during processing, ensuring comprehensive security across all operations.
Encryption Overview
Encryption Types
- Data at Rest: Database and file system encryption
- Data in Transit: TLS/SSL for API communications
- Data in Processing: Application-level encryption
- Key Management: Hardware Security Module (HSM) protection
Encryption Standards
- AES-256: Advanced Encryption Standard for symmetric encryption
- RSA-4096: Public key cryptography for key exchange
- ECDSA: Elliptic Curve Digital Signature Algorithm
- SHA-256: Secure hash algorithm for data integrity
Data at Rest Encryption
Database Encryption
-- Transparent Data Encryption (TDE) enabled
ALTER DATABASE azotte_production
SET ENCRYPTION ON
WITH ENCRYPTION_KEY = 'AES_256';
-- Column-level encryption for sensitive fields
CREATE TABLE customers (
id VARCHAR(50) PRIMARY KEY,
name VARCHAR(255),
email VARCHAR(255),
-- Encrypted payment method data
payment_data VARBINARY(MAX)
ENCRYPTED WITH (
COLUMN_ENCRYPTION_KEY = payment_key,
ENCRYPTION_TYPE = DETERMINISTIC,
ALGORITHM = 'AEAD_AES_256_CBC_HMAC_SHA_256'
)
);
File System Encryption
interface FileEncryption {
algorithm: 'AES-256-GCM';
key_derivation: 'PBKDF2';
salt_length: 32;
iteration_count: 100000;
authentication_tag: boolean;
}
class EncryptedFileStorage {
private encryptionKey: Buffer;
constructor(masterKey: string) {
this.encryptionKey = this.deriveKey(masterKey);
}
async encryptFile(filePath: string, data: Buffer): Promise<void> {
const cipher = crypto.createCipher('aes-256-gcm', this.encryptionKey);
const iv = crypto.randomBytes(16);
const encryptedData = Buffer.concat([
cipher.update(data),
cipher.final()
]);
const authTag = cipher.getAuthTag();
const finalData = Buffer.concat([iv, authTag, encryptedData]);
await fs.writeFile(filePath, finalData);
}
async decryptFile(filePath: string): Promise<Buffer> {
const fileData = await fs.readFile(filePath);
const iv = fileData.slice(0, 16);
const authTag = fileData.slice(16, 32);
const encryptedData = fileData.slice(32);
const decipher = crypto.createDecipher('aes-256-gcm', this.encryptionKey);
decipher.setAuthTag(authTag);
return Buffer.concat([
decipher.update(encryptedData),
decipher.final()
]);
}
}
Data in Transit Encryption
TLS Configuration
# Nginx TLS configuration
server {
listen 443 ssl http2;
server_name api.azotte.com;
# TLS 1.3 only
ssl_protocols TLSv1.3;
# Strong cipher suites
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (HTTP Strict Transport Security)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
# Certificate configuration
ssl_certificate /path/to/certificate.pem;
ssl_certificate_key /path/to/private-key.pem;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
}
API Client Encryption
class EncryptedApiClient {
constructor(apiKey, encryptionKey) {
this.apiKey = apiKey;
this.encryptionKey = encryptionKey;
}
async makeSecureRequest(endpoint, data) {
// Encrypt request payload
const encryptedPayload = this.encryptPayload(data);
const response = await fetch(`https://api.azotte.com${endpoint}`, {
method: 'POST',
headers: {
'Authorization': `Bearer ${this.apiKey}`,
'Content-Type': 'application/json',
'X-Encryption-Algorithm': 'AES-256-GCM'
},
body: JSON.stringify({
encrypted_data: encryptedPayload.data,
iv: encryptedPayload.iv,
auth_tag: encryptedPayload.authTag
})
});
return this.decryptResponse(await response.json());
}
encryptPayload(data) {
const iv = crypto.getRandomValues(new Uint8Array(12));
const key = crypto.subtle.importKey(
'raw',
this.encryptionKey,
'AES-GCM',
false,
['encrypt']
);
const encrypted = crypto.subtle.encrypt(
{ name: 'AES-GCM', iv },
key,
new TextEncoder().encode(JSON.stringify(data))
);
return {
data: Array.from(new Uint8Array(encrypted)),
iv: Array.from(iv),
authTag: Array.from(new Uint8Array(encrypted.slice(-16)))
};
}
}
Key Management System
Hardware Security Modules (HSM)
interface HSMConfiguration {
provider: 'AWS CloudHSM' | 'Azure Dedicated HSM' | 'Thales Luna';
key_operations: {
generate: boolean;
store: boolean;
encrypt: boolean;
decrypt: boolean;
sign: boolean;
verify: boolean;
};
backup_strategy: {
automatic_backup: boolean;
cross_region_replication: boolean;
retention_period_days: number;
};
}
class KeyManagementService {
private hsm: HSMClient;
constructor(hsmConfig: HSMConfiguration) {
this.hsm = new HSMClient(hsmConfig);
}
async generateEncryptionKey(keySpec: string): Promise<string> {
const keyId = await this.hsm.generateKey({
keySpec: keySpec,
keyUsage: ['ENCRYPT_DECRYPT'],
origin: 'HSM'
});
return keyId;
}
async encryptData(keyId: string, plaintext: string): Promise<EncryptedData> {
return await this.hsm.encrypt({
keyId: keyId,
plaintext: Buffer.from(plaintext),
encryptionAlgorithm: 'RSAES_OAEP_SHA_256'
});
}
async rotateKey(keyId: string): Promise<string> {
const newKeyId = await this.generateEncryptionKey('AES_256');
// Re-encrypt all data with new key
await this.reencryptWithNewKey(keyId, newKeyId);
// Schedule old key deletion
await this.scheduleKeyDeletion(keyId, 30); // 30 days
return newKeyId;
}
}
Key Rotation Strategy
interface KeyRotationPolicy {
master_keys: {
rotation_interval_days: 90;
automatic_rotation: boolean;
notification_before_days: 7;
};
data_encryption_keys: {
rotation_interval_days: 365;
automatic_rotation: boolean;
};
api_keys: {
rotation_interval_days: 180;
require_manual_approval: boolean;
};
}
class KeyRotationScheduler {
private rotationPolicy: KeyRotationPolicy;
constructor(policy: KeyRotationPolicy) {
this.rotationPolicy = policy;
}
scheduleAutomaticRotation() {
// Schedule master key rotation
cron.schedule('0 0 */90 * *', () => {
this.rotateMasterKeys();
});
// Schedule DEK rotation
cron.schedule('0 0 */365 * *', () => {
this.rotateDataEncryptionKeys();
});
}
async rotateMasterKeys() {
const keys = await this.getKeysNearingExpiration('master', 7);
for (const key of keys) {
await this.notifyKeyRotation(key);
await this.performKeyRotation(key);
}
}
}
Application-Level Encryption
Field-Level Encryption
import cryptography
from cryptography.fernet import Fernet
class FieldEncryption:
def __init__(self, encryption_key):
self.fernet = Fernet(encryption_key)
def encrypt_field(self, field_value):
"""Encrypt a single field value"""
if field_value is None:
return None
encrypted = self.fernet.encrypt(field_value.encode())
return encrypted.decode()
def decrypt_field(self, encrypted_value):
"""Decrypt a single field value"""
if encrypted_value is None:
return None
decrypted = self.fernet.decrypt(encrypted_value.encode())
return decrypted.decode()
# Usage in Django models
class Customer(models.Model):
name = models.CharField(max_length=255)
email = models.EmailField()
# Encrypted fields
_ssn = models.TextField() # Store encrypted
_credit_card = models.TextField() # Store encrypted
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
self.encryptor = FieldEncryption(settings.FIELD_ENCRYPTION_KEY)
@property
def ssn(self):
return self.encryptor.decrypt_field(self._ssn)
@ssn.setter
def ssn(self, value):
self._ssn = self.encryptor.encrypt_field(value)
Envelope Encryption
package encryption
import (
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"encoding/base64"
)
type EnvelopeEncryption struct {
masterKey []byte
kms KMSClient
}
type EncryptedEnvelope struct {
EncryptedData []byte `json:"encrypted_data"`
EncryptedDEK []byte `json:"encrypted_dek"`
IV []byte `json:"iv"`
}
func (ee *EnvelopeEncryption) Encrypt(data []byte) (*EncryptedEnvelope, error) {
// Generate Data Encryption Key (DEK)
dek := make([]byte, 32) // 256-bit key
if _, err := rand.Read(dek); err != nil {
return nil, err
}
// Encrypt data with DEK
encryptedData, iv, err := ee.encryptWithAES(data, dek)
if err != nil {
return nil, err
}
// Encrypt DEK with master key via KMS
encryptedDEK, err := ee.kms.Encrypt(dek, ee.masterKey)
if err != nil {
return nil, err
}
return &EncryptedEnvelope{
EncryptedData: encryptedData,
EncryptedDEK: encryptedDEK,
IV: iv,
}, nil
}
func (ee *EnvelopeEncryption) Decrypt(envelope *EncryptedEnvelope) ([]byte, error) {
// Decrypt DEK using KMS
dek, err := ee.kms.Decrypt(envelope.EncryptedDEK, ee.masterKey)
if err != nil {
return nil, err
}
// Decrypt data using DEK
return ee.decryptWithAES(envelope.EncryptedData, dek, envelope.IV)
}
Performance Optimization
Encryption Caching
# Redis configuration for encryption key caching
# Limit cache TTL for security
SETEX encryption_key:user_123 3600 "encrypted_key_data"
# Cache encrypted data to avoid re-encryption
SETEX encrypted_data:payment_456 1800 "encrypted_payment_data"
Hardware Acceleration
// Using Intel AES-NI instructions for hardware acceleration
#include <wmmintrin.h>
void aes_encrypt_block(__m128i *data, __m128i *key_schedule) {
*data = _mm_xor_si128(*data, key_schedule[0]);
for (int i = 1; i < 10; i++) {
*data = _mm_aesenc_si128(*data, key_schedule[i]);
}
*data = _mm_aesenclast_si128(*data, key_schedule[10]);
}
// Benchmark results show 4-8x performance improvement
// with hardware acceleration vs software implementation
Compliance & Standards
FIPS 140-2 Compliance
encryption_modules:
level_3_hsm:
certification: "FIPS 140-2 Level 3"
vendor: "Thales Luna Network HSM"
algorithms:
- AES (128, 192, 256)
- RSA (2048, 3072, 4096)
- ECDSA (P-256, P-384, P-521)
- SHA (224, 256, 384, 512)
level_2_software:
certification: "FIPS 140-2 Level 2"
library: "OpenSSL FIPS Object Module"
validated_algorithms:
- AES-GCM
- RSA-OAEP
- ECDH
Common Criteria Evaluation
interface SecurityProfile {
evaluation_assurance_level: 'EAL4+';
protection_profile: 'Application Software Protection Profile';
security_targets: {
confidentiality: 'HIGH';
integrity: 'HIGH';
availability: 'MEDIUM';
};
threat_model: {
insider_threats: boolean;
network_attacks: boolean;
physical_access: boolean;
};
}
Monitoring & Alerting
Encryption Health Metrics
interface EncryptionMetrics {
key_rotation_status: {
last_rotation: Date;
next_scheduled: Date;
overdue_keys: number;
};
performance_metrics: {
encryption_latency_ms: number;
decryption_latency_ms: number;
throughput_ops_per_sec: number;
};
security_events: {
failed_decryptions: number;
key_access_violations: number;
algorithm_downgrade_attempts: number;
};
}
class EncryptionMonitoring {
async checkKeyHealth(): Promise<EncryptionMetrics> {
return {
key_rotation_status: await this.getKeyRotationStatus(),
performance_metrics: await this.getPerformanceMetrics(),
security_events: await this.getSecurityEvents()
};
}
async alertOnAnomalies(metrics: EncryptionMetrics) {
if (metrics.security_events.failed_decryptions > 100) {
await this.sendAlert('HIGH', 'Unusual number of decryption failures');
}
if (metrics.performance_metrics.encryption_latency_ms > 1000) {
await this.sendAlert('MEDIUM', 'Encryption performance degraded');
}
}
}
Testing & Validation
Encryption Testing
describe('Encryption Service', () => {
const encryptionService = new EncryptionService();
test('should encrypt and decrypt data correctly', () => {
const originalData = 'sensitive payment information';
const encrypted = encryptionService.encrypt(originalData);
expect(encrypted).not.toBe(originalData);
const decrypted = encryptionService.decrypt(encrypted);
expect(decrypted).toBe(originalData);
});
test('should use different IVs for same data', () => {
const data = 'test data';
const encrypted1 = encryptionService.encrypt(data);
const encrypted2 = encryptionService.encrypt(data);
expect(encrypted1).not.toBe(encrypted2);
});
test('should fail gracefully with invalid keys', () => {
expect(() => {
encryptionService.decrypt('invalid_data');
}).toThrow('Decryption failed');
});
});
Penetration Testing
#!/bin/bash
# Encryption security tests
# Test weak key detection
openssl rsa -in weak_key.pem -text -check
# Test cipher strength
nmap --script ssl-enum-ciphers -p 443 api.azotte.com
# Test certificate validation
testssl.sh --check-rc4 --check-3des --check-cbc api.azotte.com:443
# Side-channel attack testing
python timing_attack_test.py --target api.azotte.com
Best Practices
Implementation Guidelines
- Use proven algorithms - Stick to AES, RSA, ECDSA
- Implement proper key management - Use HSMs for key storage
- Rotate keys regularly - Automate key rotation processes
- Validate inputs - Sanitize all encryption inputs
- Use authenticated encryption - Prefer AEAD modes like GCM
- Monitor performance - Track encryption latency and throughput
Common Pitfalls to Avoid
- Rolling your own crypto - Use established libraries
- Reusing initialization vectors - Always generate random IVs
- Weak random number generation - Use cryptographically secure RNGs
- Key derivation shortcuts - Use proper KDFs like PBKDF2
- Ignoring timing attacks - Implement constant-time comparisons
Next Steps
- Learn about Tokenization
- Understand Data Protection
- Explore PCI Compliance