Encryption Standards

Secrets and key storage

• Secrets are write-only: once set, they cannot be retrieved in plaintext and must be rotated by re-setting.

• Secrets are encrypted at rest with AES-256.

Encryption in transit

• External traffic uses TLS (HTTPS).

Handling of secrets in applications

• Secret values are kept outside source control and deployment manifests.

• Applications read secrets at runtime through encrypted storage interfaces.

Access control

• Access is limited to service identities and a small set of operators.

• Policies follow least-privilege access.