Security

Encryption

How Keva protects your data with AES-256-GCM encryption

Keva uses AES-256-GCM encryption to protect sensitive data at rest. This enterprise-grade encryption ensures your platform credentials and customer data remain secure.

Overview

Keva implements:

  • AES-256-GCM for data at rest
  • TLS 1.3 for data in transit
  • Key rotation without downtime
  • Audit logging of credential access

What's Encrypted

Platform Credentials

All connector credentials are encrypted:

  • API keys and tokens
  • OAuth access/refresh tokens
  • Passwords and secrets
  • Connection strings

Sensitive Configuration

Encrypted configuration includes:

  • Webhook secrets
  • SMTP credentials
  • Third-party API keys
  • Custom integration secrets

Encryption Algorithm

AES-256-GCM

Keva uses AES-256-GCM (Galois/Counter Mode):

  • 256-bit keys for maximum security
  • Authenticated encryption prevents tampering
  • Unique IV for each encryption operation
  • NIST approved for government use

Technical Details

Algorithm: AES-256-GCM
Key Length: 256 bits (32 bytes)
IV Length: 96 bits (12 bytes)
Tag Length: 128 bits (16 bytes)

Data Structure

Encrypted values are stored as:

  • encryptedValue - Base64-encoded ciphertext
  • iv - Unique initialization vector
  • tag - Authentication tag for integrity
  • keyVersion - Key identifier for rotation

Key Management

Key Generation

Encryption keys are:

  • Generated using cryptographically secure random
  • 256-bit (64 hexadecimal characters)
  • Stored in environment variables
  • Never committed to source control

Key Storage

Keys are stored securely:

  • Production: GCP Secret Manager
  • Staging: Encrypted environment variables
  • Development: Local .env files (gitignored)

Key Access

Key access is restricted:

  • Only the application runtime can access
  • No human access in production
  • Key retrieval is not logged (the key itself)

Key Rotation

Why Rotate Keys

Regular key rotation:

  • Limits exposure from potential breaches
  • Meets compliance requirements
  • Follows security best practices
  • Required for SOC 2 compliance

Rotation Process

Keva supports zero-downtime key rotation:

  1. Add new key: Set ENCRYPTION_KEY to new value
  2. Keep old key: Set ENCRYPTION_KEY_PREVIOUS to old value
  3. Re-encrypt data: Run rotation job
  4. Remove old key: Clear ENCRYPTION_KEY_PREVIOUS

Automatic Re-encryption

The rotation process:

  1. Reads each encrypted value
  2. Decrypts with old key (if needed)
  3. Re-encrypts with new key
  4. Updates key version marker
  5. Logs operation in audit trail

Rotation Frequency

Recommended schedule:

  • Production: Every 90 days
  • After incidents: Immediately
  • Staff changes: When admins leave

Encryption in Practice

Storing Credentials

When you connect a platform:

  1. You enter credentials in the UI
  2. Credentials are sent over TLS
  3. Server encrypts immediately
  4. Only ciphertext is stored
  5. Access is logged

Using Credentials

When AI executes an action:

  1. System retrieves encrypted credentials
  2. Decrypts in memory only
  3. Makes API call
  4. Credentials cleared from memory
  5. Access logged in audit trail

Never Exposed

Credentials are never:

  • Logged in application logs
  • Shown in error messages
  • Sent to third parties
  • Stored in plaintext

Audit Trail

Credential Access Logging

All credential access is logged:

EventDescription
connector.credentials_accessedCredentials decrypted for use
connector.credentials_createdNew credentials stored
connector.credentials_updatedCredentials rotated
connector.credentials_deletedCredentials removed

Log Contents

Audit logs include:

  • Who accessed credentials
  • Which connector
  • What purpose (API call type)
  • Timestamp
  • IP address

The actual credentials are never logged.

Compliance

SOC 2 Mapping

Encryption ControlSOC 2 Criteria
AES-256-GCM encryptionCC6.1, CC6.7
Key rotationCC6.6
Credential access loggingCC7.2
Encryption in transitCC6.7

Evidence Collection

For SOC 2 audits:

  • Encryption configuration documented
  • Key rotation logs available
  • Credential access audit trail
  • Algorithm compliance verified

Best Practices

For Administrators

  • Rotate keys every 90 days
  • Monitor credential access logs
  • Verify encryption is enabled
  • Test key rotation in staging first

For Developers

  • Never log decrypted values
  • Clear sensitive data from memory
  • Use secure comparison for secrets
  • Follow key storage guidelines

Troubleshooting

Decryption Failures

If decryption fails:

  1. Verify ENCRYPTION_KEY is set
  2. Check key is 64 hex characters
  3. Ensure ENCRYPTION_KEY_PREVIOUS set during rotation
  4. Contact support if issues persist