Encryption

Strong encryption protects your data at rest and in transit.

At Rest Encryption

Algorithm: AES-256-GCM (Galois/Counter Mode)
Key: SHA-256 hash of ENCRYPTION_KEY
Nonce: 12 bytes from crypto/rand
Encoding: Base64 for storage

Encrypted Data Types

  • Provider credentials (AWS keys, API tokens)
  • 2FA TOTP secrets and backup codes
  • Environment variable values
  • SSH private keys
  • Database connection strings

In Transit Encryption

  • TLS 1.2+ required for all connections
  • HSTS header with 1-year max-age
  • Secure cookies (HttpOnly, Secure, SameSite=Lax)

SSH Key Security

Algorithm: Ed25519 (faster, more secure than RSA)
Format: OpenSSH private key format
Fingerprint: SHA-256 based
← Authentication API Security →