Architecture
Flow:- KEK (in KMS) wraps/unwraps the DEKs
- Each organisation has its own DEK
- DEK encrypts/decrypts that organisation’s secrets
- Secrets are stored encrypted in the database
Key hierarchy
Cryptographic specifications
Multi-tenant isolation
Each organisation has its own unique DEK (Data Encryption Key):- Cryptographic isolation: Organisation A’s DEK cannot decrypt Organisation B’s secrets
- Breach containment: If one DEK is compromised, only that organisation’s secrets are affected
- No cross-tenant access: Even with database access, secrets from other organisations remain encrypted with different keys
Key management
Best practices:- Restrict access: Only automated systems should have access to the KEK. Human access should be emergency-only.
- Never delete: Configure key deletion protection in your KMS provider.
- Backup carefully: If using environment variable provider, ensure the master key is securely backed up.
- Audit access: Enable KMS audit logging to track all key operations.
Configuration
Provider selection
SetSECRETS_PROVIDER to choose the encryption backend: