Data-in-Transit, Data-at-Rest, Keys that Never Leak

Encryption protects the confidentiality and integrity of data across apps, networks, and clouds.
SolveForce designs encryption as a system—with non-exportable keys (HSM/KMS), envelope encryption, modern ciphers, and audit-grade evidence—so data stays private, provable, and available without breaking performance.

• 📞 (888) 765-8301
• ✉️ contact@solveforce.com

Where encryption fits in the SolveForce model:
🔑 Keys → Key Management / HSM • 🪪 Trust → PKI
☁️ Platforms → Cloud • 🖧 Fabric → Networks & Data Centers • Connectivity
📊 Evidence → SIEM / SOAR • 🔒 Access → IAM / SSO / MFA • ZTNA • SASE
🔏 Data controls → DLP

---

🎯 Outcomes (What “good” encryption delivers)

• Confidentiality you can prove — keys never leave hardware; logs show who/what/when.
• Integrity by default — AEAD modes (encrypt and authenticate) prevent silent tamper.
• Fast rotation without data loss — envelope encryption (root→KEK→DEK) with re-wrap.
• Low latency — sized KMS/HSM clusters; TLS 1.3 at the edge; local DEK caching.
• Audit-ready — immutable evidence for PCI DSS, HIPAA, ISO 27001, NIST, CMMC.

---

🧱 Building Blocks (Spelled Out)

• Keys & Custody — Root/KEK/DEK hierarchy, non-exportable keys in HSM/KMS, quorum/dual-control. → Key Management / HSM
• Algorithms
• Symmetric (bulk): AES-GCM/CTR, ChaCha20-Poly1305 (AEAD).
• Asymmetric (identity/signing): Ed25519, ECDSA P-256/P-384, RSA-2048/3072.
• Hashes/HMAC: SHA-256/384. (Avoid MD5/SHA-1.)
• Transport — TLS 1.3 first; mTLS where identity must be mutual; IPsec/MACsec for network/Link-layer.
• At Rest — disk (XTS-AES), DB TDE, object SSE-KMS, field-level (AES-GCM or FPE, as policy).
• PKI — certificates, ACME automation, JWKS for token signing/rotation. → PKI

---

🚦 Quick Decision Table

Goal	Recommended
API / Web traffic	TLS 1.3 (fallback 1.2 only if needed). Ciphers: AES-GCM or ChaCha20-Poly1305
Mutual service identity	mTLS with short-lived certs; rotate via ACME
Private network hop	IPsec (site-to-site) or MACsec (L2)
Disk / volume	XTS-AES (BitLocker/FileVault/LUKS), rotate keys with KMS
Database	TDE; KEK in HSM/KMS; DEKs per tablespace
Object storage	SSE-KMS with customer-managed keys (CMK)
Field-level protection	AES-GCM (preferred) or FPE for format-sensitive fields
Tokens/ID	JWS (Ed25519/ECDSA); publish/rotate via JWKS; use kid headers
Secrets at rest	Vault + KMS wrap; never store raw keys in code/containers

---

🌐 Data-in-Transit (Modern TLS & friends)

• TLS 1.3 default; deprecate 1.0/1.1; prune weak ciphers.
• Ciphers: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256 (mobile-friendly).
• Server policy: HSTS, OCSP stapling, ALPN (HTTP/2 & HTTP/3), Session resumption tickets with short lifetimes.
• mTLS: short-lived client certs (hours/days), ACME automation, CRL/OCSP for revocation.
• IPsec (site-to-site): IKEv2, PFS, AES-GCM; pair with SD-WAN policy. → SD-WAN
• MACsec (L2): encrypt switch-to-switch or server uplinks in hostile domains/cages.
• Cloud on-ramps: use Direct Connect/ExpressRoute/Interconnect for deterministic paths; TLS still applies end-to-end. → Direct Connect

Don’t: mix compression with encryption on the wire (CRIME/BREACH risks).

---

💾 Data-at-Rest (Disk, DB, Object, Field)

• Disks/Volumes: XTS-AES (BitLocker/FileVault/LUKS). Keys in KMS; rotate on schedule and events.
• Databases: TDE; master key in HSM/KMS, DEKs per tablespace; use re-wrap on KEK rotation.
• Object Storage: SSE-KMS/SSE-C; per-bucket/object keys with tags & lifecycle.
• Field-level: AES-GCM preferred; FPE (Format-Preserving Encryption) only when schema truly requires.
• Tokenization vs Encryption: For PAN/PII that must retain format without revealing data, tokenize upstream and store surrogates. → DLP

---

🧠 Envelope Encryption (Rotate without re-encrypting data)

1) App gets a DEK (data key) to encrypt content.
2) DEK is wrapped by a KEK in HSM/KMS and stored alongside ciphertext.
3) Rotate KEK → re-wrap DEKs (fast).
4) Rotate DEK → new data uses new DEK; legacy re-encrypt on schedule.
5) Quorum/dual-control required for destructive steps.
→ Details: Key Management / HSM

---

🔐 JWT / Tokens / Signing (Don’t roll your own)

• JWS for authenticity: Ed25519 or ECDSA P-256/384; RSA-2048/3072 if legacy.
• JWKS endpoint for public keys; rotate with kid. Publish new keys before retiring old.
• JWE only when confidentiality also needed; otherwise sign (JWS) and encrypt channel (TLS).
• Short-lived tokens, refresh with narrow scope; revoke on incident.
  → Trust fabric: PKI • IAM / SSO / MFA

---

🧩 Integration Patterns

• KMS/HSM first — apps never see raw KEKs; use KMS “data key” API; cache DEKs with TTL. → Key Management / HSM
• Vault for app secrets; auto-rotate; short TTL for tokens/creds.
• NAC/SD-WAN/SASE — encrypt links (IPsec/MACsec), steer paths, enforce posture. → SASE
• DLP + Encryption — enforce encryption for sensitive flows/objects; watermark read-only exports. → DLP
• SIEM/SOAR — log key ops, TLS events, failures; playbooks for disable/rekey/rotate on incident. → SIEM / SOAR

---

🧪 Hardening & Pitfalls (Field Notes)

• Use AEAD (AES-GCM or ChaCha20-Poly1305) — encryption and integrity together.
• Never reuse nonces/IVs; generate with secure RNG; unique per (key, message).
• Avoid home-grown crypto; rely on vetted libraries/HSM/KMS SDKs.
• KDFs for passwords: Argon2id or PBKDF2-HMAC-SHA256 (high iteration, per-user salt).
• Padding oracles: prefer AEAD; if CBC must be used, implement constant-time checks & MAC-then-encrypt patterns.
• Don’t mix compression + encryption for secrets; sanitize before encrypting.
• Certificates: automate ACME; pin with care (operationally dangerous without rotation plan).

---

📐 SLO Guardrails (Experience you can measure)

Metric (p95)	Target	Notes
TLS handshake (regional)	≤ 50–150 ms	Edge PoPs, session resumption enabled
mTLS mutual auth	≤ 100–250 ms	Cert chain size & OCSP stapling matter
KMS encrypt/decrypt	≤ 10–30 ms	Regional KMS, DEK caching
JWT sign/verify	≤ 20–50 ms	HSM-backed key ops
Service availability	≥ 99.99%	HA KMS/HSM, multi-region optional
Rotation (KEK)	≤ 24–72 h	Envelope re-wrap only

Expose crypto SLOs on dashboards; alert on lag, error rate, and tamper events. → SIEM / SOAR

---

📜 Compliance Mapping (Examples)

• PCI DSS 3.5/3.6 — key protection, rotation, split knowledge & dual control.
• HIPAA 164.312(a)(2)(iv) — encryption of ePHI; integrity and access controls.
• ISO/IEC 27001/27002 — cryptographic policy, key management, logging.
• NIST SP 800-57 / 800-52 / 800-53 (SC-12/SC-13) — key lifecycles, TLS profiles, crypto services.
• FedRAMP — KMS/HSM posture, key residency, audit retention.

Evidence streams to SIEM; playbooks in SOAR handle disable/rotate/restore.

---

🛠️ Implementation Blueprint (No-Surprise Rollout)

1. Inventory & classify data (where it lives, flows, exits).
2. Select custody — HSM/KMS platforms, FIPS level, HA/DR regions. → Key Management / HSM
3. Design hierarchy — Root in HSM; KEKs per service/tenant/env; DEKs per dataset/object.
4. Transport policy — TLS 1.3, mTLS where needed; IPsec/MACsec for hops.
5. At-rest controls — TDE, SSE-KMS, field-level; tokenization for PAN/PII. → DLP
6. PKI & tokens — ACME automation; JWKS rotation; short-lived tokens. → PKI • IAM / SSO / MFA
7. Observability — crypto SLOs; KMS/HSM tamper alerts; TLS error maps. → SIEM / SOAR
8. Compliance packs — policy docs, SOPs, rotation calendar, evidence exports.
9. Game days — KEK rotation, disable/restore drills, region failover.

---

✅ Pre-Engagement Checklist

• 🔑 HSM/KMS choices, regions, FIPS level, HA/DR plan.
• 📦 Data classes & flows; tokenization vs field encryption decisions.
• 🧰 Library/SDK standards (approved crypto libs, AEAD default).
• 🪪 PKI plan (issuance/rotation), JWKS strategy, short-lived tokens.
• 🔐 Network posture (IPsec/MACsec needs), TLS policy/cipher list.
• 📊 SIEM dashboards (crypto SLOs), SOAR runbooks (disable/rotate/restore).
• 🧾 Compliance targets and evidence format.

---

🔄 Where Encryption Fits (Recursive View)

1) Grammar — encrypted signals ride Connectivity & the Networks & Data Centers fabric.
2) Syntax — Cloud patterns (TDE, SSE-KMS, mTLS) shape delivery.
3) Semantics — Cybersecurity preserves truth; encryption proves confidentiality/integrity.
4) Pragmatics — SolveForce AI flags crypto anomalies, failed handshakes, and hot keys.
5) Foundation — consistent terms via Primacy of Language.
6) Map — indexed in the SolveForce Codex & Knowledge Hub.

---

📞 Design Encryption That’s Fast, Safe & Auditable

• 📞 (888) 765-8301
• ✉️ contact@solveforce.com

Related pages:
Key Management / HSM • PKI • IAM / SSO / MFA • ZTNA • SASE • DLP • Cloud • Networks & Data Centers • Direct Connect • SIEM / SOAR • Cybersecurity • Knowledge Hub

---