Algorithm Summary
| Component | Algorithm | Key Size | Mode |
|---|---|---|---|
| Log field encryption | AES | 128-bit | Fernet (CBC+HMAC) |
| Cloud backup payload | AES | 256-bit | GCM |
| Cloud backup key wrap | RSA | 2048-bit | OAEP-SHA256 |
| Log signing | HMAC | 256-bit | SHA-256 |
Hybrid Encryption (Zero-Trust Backup)
┌─────────────────────────────────────────────────────────────┐
│ Encryption Flow │
│ │
│ Plaintext → [Generate Session Key] → AES-256-GCM Encrypt │
│ │ │ │
│ ▼ ▼ │
│ RSA-OAEP Wrap Key Ciphertext │
│ │ │ │
│ └────────┬───────────────┘ │
│ ▼ │
│ Encrypted Envelope (JSON) │
│ { encrypted_data, encrypted_key, iv, tag, key_id } │
└─────────────────────────────────────────────────────────────┘Security Properties
- Forward Secrecy: Unique session key per message
- Authenticated Encryption: GCM provides integrity
- Zero-Trust Cloud: Private key never in cloud
- Key Rotation: key_id enables historic decryption
Key Management
RSA Key Pair
Public Key
In container
Private Key
OFFLINE only
Rotation
Annual
Session Keys
Generation
CSPRNG
Lifetime
Single message
Storage
Wrapped in envelope
Key Generation Commands
# Generate RSA private key (KEEP OFFLINE!)
openssl genrsa -out private.pem 2048
# Extract public key
openssl rsa -in private.pem -pubout -out public.pem
# Verify key
openssl rsa -in private.pem -check
# Generate Fernet key for Django
python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"TLS Requirements
| Connection | Protocol | Min Version |
|---|---|---|
| HTTPS (Ingress) | TLS | 1.2 |
| Database | TLS | 1.2 |
| SIEM forwarding | TLS | 1.2 |
| Cloud backup API | TLS | 1.2 |
Standards Compliance
NIST SP 800-38D
GCM Mode ✅
NIST SP 800-57
Key Management ✅
FIPS 140-2
Approved Algorithms ✅
NIS2 Art. 21(f)
Cryptography Policies ✅