Skip to main content
GoRules BRMS uses envelope encryption with a KEK/DEK (Key Encryption Key / Data Encryption Key) hierarchy to protect sensitive data such as deployment credentials and user-defined secrets.

Architecture

Flow:
  1. KEK (in KMS) wraps/unwraps the DEKs
  2. Each organisation has its own DEK
  3. DEK encrypts/decrypts that organisation’s secrets
  4. Secrets are stored encrypted in the database

Key hierarchy

Cryptographic specifications

Multi-tenant isolation

Each organisation has its own unique DEK (Data Encryption Key):
  • Cryptographic isolation: Organisation A’s DEK cannot decrypt Organisation B’s secrets
  • Breach containment: If one DEK is compromised, only that organisation’s secrets are affected
  • No cross-tenant access: Even with database access, secrets from other organisations remain encrypted with different keys

Key management

The KEK (master key) must never be deleted or changed. If the KEK is lost or changed, all DEKs become unrecoverable and all encrypted secrets are permanently lost.
Best practices:
  • Restrict access: Only automated systems should have access to the KEK. Human access should be emergency-only.
  • Never delete: Configure key deletion protection in your KMS provider.
  • Backup carefully: If using environment variable provider, ensure the master key is securely backed up.
  • Audit access: Enable KMS audit logging to track all key operations.

Configuration

Provider selection

Set SECRETS_PROVIDER to choose the encryption backend:

Environment variables

Provider selection (required)

Environment variable provider (env)

AWS KMS provider (aws-kms)

Azure Key Vault provider (azure-keyvault)

GCP KMS provider (gcp-kms)

Cache settings

Example configurations

Limits