Encryption Key Management
The MATIH platform provides comprehensive encryption for tenant data at rest and in transit. Each tenant can manage their own encryption keys through the Tenant Service, supporting both platform-managed keys and customer-managed keys (BYOK) for compliance requirements.
Encryption Architecture
Tenant Data
|
v
+------------------+
| Application | AES-256-GCM encryption
| Encryption Layer | Per-tenant Data Encryption Key (DEK)
+------------------+
|
v
+------------------+
| Key Encryption | RSA-4096 or AES-256
| Key (KEK) | Wraps the DEK
+------------------+
|
v
+------------------+
| Key Management | Azure Key Vault / AWS KMS / GCP KMS
| Service | Master key never leaves HSM
+------------------+Key Hierarchy
| Key Type | Purpose | Rotation | Storage |
|---|---|---|---|
| Master Key (MK) | Root of trust per cloud provider | Annual | HSM (never exported) |
| Key Encryption Key (KEK) | Wraps tenant DEKs | 90 days | Key Vault / KMS |
| Data Encryption Key (DEK) | Encrypts tenant data | 30 days | Encrypted in database |
| Transport Key (TLS) | Encrypts data in transit | 90 days | cert-manager |
Encryption at Rest
All tenant data is encrypted at rest using AES-256-GCM:
| Data Store | Encryption Method |
|---|---|
| PostgreSQL | Transparent Data Encryption (TDE) + application-level column encryption |
| Redis | TLS + encrypted RDB snapshots |
| Kafka | Topic-level encryption via interceptor |
| Object Storage (S3/Blob) | SSE-KMS with tenant-specific key |
| Elasticsearch | Node-level encryption + field-level encryption for PII |
API Endpoints
GET /api/v1/tenants/:tenantId/encryption/keys # List encryption keys
POST /api/v1/tenants/:tenantId/encryption/keys # Create new key
GET /api/v1/tenants/:tenantId/encryption/keys/:keyId # Get key metadata
POST /api/v1/tenants/:tenantId/encryption/keys/:keyId/rotate # Rotate key
DELETE /api/v1/tenants/:tenantId/encryption/keys/:keyId # Revoke key
GET /api/v1/tenants/:tenantId/encryption/status # Encryption statusKey Rotation
Key rotation is automatic and zero-downtime:
- New DEK is generated
- New data is encrypted with new DEK
- Background process re-encrypts existing data
- Old DEK is marked for deletion after grace period
- Old DEK is purged after all data is re-encrypted
Customer-Managed Keys (BYOK)
Enterprise tenants can bring their own keys:
| Feature | Platform-Managed | Customer-Managed (BYOK) |
|---|---|---|
| Key generation | Platform | Customer's KMS |
| Key storage | Platform Key Vault | Customer's Key Vault |
| Key rotation | Automatic | Customer-triggered |
| Key revocation | Platform-controlled | Customer-controlled |
| Availability | Standard | Enterprise plan |
Encryption in Transit
All inter-service communication uses mTLS:
| Connection | Protocol | Certificate |
|---|---|---|
| External traffic | TLS 1.3 | Let's Encrypt via cert-manager |
| Inter-service | mTLS | Internal CA via cert-manager |
| Database connections | TLS 1.2+ | PostgreSQL server certificate |
| Kafka connections | SASL/TLS | Strimzi-managed certificates |