Encryption and Key Management
Envelope Encryption Pattern
Each job uses a unique Data Encryption Key (DEK) generated at write time. The DEK is encrypted using a Key Encryption Key (KEK) managed by the CYC key management service. This envelope pattern means rotating the KEK does not require re-encrypting stored data.
Key Specifications
| Key | Algorithm | Scope | Rotation |
|---|---|---|---|
| DEK | AES-256 | Per job — generated at write time | Never rotated — lives and dies with the job |
| KEK | Managed by KMS | CYC-wide | Quarterly |
Rules
- No key material is stored in application code, environment variables, or the EDS blob store in plaintext
- The Assessment Engine requests DEK decryption via key management service at job start — it never holds the KEK
- Decrypted data is processed in memory only — never written to disk in plaintext form
- In-transit encryption: TLS 1.3 for all data movement