Security
BitVault’s security design is defense-in-depth across every layer — no single control is trusted to hold, because every control eventually has a bug. The two catastrophic risks are:
- Cross-tenant data leak — one tenant reading another’s files or metadata.
- Encryption key compromise — a KEK or DEK loss that exposes or permanently destroys tenant data.
Every other risk is severe but recoverable. These two are not.
Contents
| Document | What it covers |
|---|---|
| Threat Model | STRIDE analysis, OWASP API Top 10 mapping, attack trees, risk register |
| Authentication | OAuth 2.1 + OIDC, PKCE, MFA, DPoP, machine identity |
| Authorization & RBAC | Deny-by-default policy engine, RBAC/ABAC/ReBAC, BOLA defense |
| Tenant Isolation | RLS, cache isolation, connection-pool hygiene, crypto isolation |
| Encryption | Envelope encryption, per-tenant DEKs, crypto-shredding, BYOK |
| Audit Logging | Tamper-evident Merkle log, what is/isn’t logged, retention |
| Rate Limiting & Abuse Prevention | Layered limits, quotas, targeted abuse defenses |
Quick-Reference Risk Table
| Risk | Severity | Primary mitigation | Reference |
|---|---|---|---|
| Cross-tenant data leak (BOLA / isolation failure) | 🔴 Critical | PDP object-authz + Postgres RLS + per-layer isolation | Tenant Isolation |
| Encryption key compromise | 🔴 Critical | KMS envelope encryption, no key export, per-tenant DEKs, rotation | Encryption |
| Account / API-key takeover | 🟠 High | MFA, refresh-token rotation + reuse detection, key hashing | Authentication |
| Public-link abuse / data exfiltration | 🟠 High | Scoped capability tokens, short TTL, anomaly detection | Rate Limiting |
| DoS / resource exhaustion | 🟠 High | Layered rate limits + per-tenant quotas | Rate Limiting |
| Audit tampering / repudiation | 🟡 Medium | Merkle tamper-evident log, separate trust domain | Audit Logging |
| SSRF via previews or plugins | 🟡 Medium | Egress allow-lists, block link-local / metadata IPs | Threat Model |
| Plugin sandbox escape | 🟡 Medium | WASM capability sandbox with explicit grants | Threat Model |
| Supply-chain compromise | 🟡 Medium | SBOM, Trivy scan, cosign signing, SLSA provenance, admission verify | Threat Model |
| Insider / rogue DBA | 🟡 Medium | Per-tenant envelope encryption, least privilege, audit log | Encryption |
Security Principles
- Deny by default. Access is denied unless explicitly granted; missing authz annotations → 403, never 200.
- Tenant context from the verified token.
tenant_idis derived from the cryptographically verified token before any business logic runs and re-checked on every authorization decision — never accepted from client input. - No single point of trust. Authentication does not imply isolation; each layer (token, application, DB, cache, storage, encryption) independently enforces tenant separation.
- Observable by design. Every security-relevant event flows through the audit log and carries an OpenTelemetry trace ID for correlation.