Encryption
GLACIS uses strong encryption for all data at rest and in transit.
In Transit
All connections use TLS 1.3:
- Strong cipher suites only
- Certificate pinning available
- HSTS enabled
At Rest
| Data Type | Algorithm |
|---|---|
| API keys | Argon2id hash |
| Passwords | Argon2id hash |
| PII fields | XChaCha20-Poly1305 |
| Sessions | Secure random tokens |
Cryptographic Primitives
Ed25519 Signatures
All attestations are signed:
const signature = ed25519.sign(data, privateKey);const valid = ed25519.verify(data, signature, publicKey);SHA-256 Commitments
Evidence is commitment-bound:
const commitment = sha256(canonicalize(evidence));HMAC-SHA256
State integrity verification:
const mac = hmacSha256(state, secret);XChaCha20-Poly1305
Field-level encryption for sensitive data:
const encrypted = xchacha20poly1305.encrypt(data, key, nonce);const decrypted = xchacha20poly1305.decrypt(encrypted, key);Key Management
- API keys rotatable via dashboard
- Sidecar keys managed per-deployment
- Organization keys derived from master
- No plaintext key storage
Best Practices
- Rotate API keys quarterly
- Use separate keys per environment
- Store secrets in secret managers
- Monitor key usage