10 — Encryption & Key Management

Confidentiality in transit, at rest, and (optionally) end-to-end. Builds on ADR-0014 (envelope encryption). The standout property: per-tenant keys enable crypto-shredding — instant, provable erasure by deleting a key.


1. In transit


2. At rest — the key hierarchy

flowchart TB
    classDef k fill:#fecaca,stroke:#b91c1c,color:#111827;
    classDef t fill:#fde68a,stroke:#b45309,color:#111827;
    classDef d fill:#bbf7d0,stroke:#15803d,color:#111827;
    root["Root KEK — in KMS/HSM (never exported)"]:::k
    root --> tkek["Per-TENANT KEK (wrapped by root)"]:::t
    tkek --> dek["Per-object DEK (random; wrapped by tenant KEK)"]:::d
    dek --> data["encrypted chunks (storage/02, AES-256-GCM)"]:::d
    byok["BYOK/HYOK: tenant KEK = customer's KMS key"]:::t -.-> tkek

3. Crypto-shredding (the elegant erasure primitive)

Because each tenant (and optionally each object) has its own key, erasure = key deletion: destroy the tenant KEK and all its ciphertext — live, replicated, and in backups — becomes permanently unrecoverable, instantly. This is how BitVault implements:

This is the single highest-leverage security primitive in the design: it turns “delete data everywhere” (hard, unverifiable) into “delete one key” (easy, provable).


4. Customer-managed keys (BYOK / HYOK)


5. End-to-end encryption (opt-in, zero-knowledge)

The Private Vaults tier (product/01 §4) encrypts client-side; the server stores only ciphertext and cannot read it. Sharing re-wraps the per-file key per recipient’s public key. Honest tradeoff (revisits NG3): E2E disables server-side search, previews, dedup, and Functions on that data — so it’s opt-in, not default.


6. Crypto agility

Algorithm identifiers are stored per object (e.g. BLAKE3 vs SHA-256 mode, ADR-0016), so a hash/cipher migration is a lazy/background re-encrypt, not a flag day — including a future post-quantum transition. Integrity hashing (BLAKE3, storage/04) is distinct from confidentiality encryption; both apply.


7. Threats addressed & residual

Threat Control Residual
Network eavesdrop / MITM TLS 1.3 + mTLS + content-hash verify very low
Rogue DBA / stolen backup per-tenant envelope encryption low
Incomplete erasure crypto-shredding (key deletion) very low
Operator can read data BYOK/HYOK or E2E for zero-knowledge tier-dependent
Key compromise KMS, no export, rotation, per-tenant blast radius low

References