Key Management System (KMS) Integration

<h2 id="key-management-system-kms-integration" class="position-relative d-flex align-items-center group"> Key Management System (KMS) Integration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="key-management-system-kms-integration" aria-haspopup="dialog" aria-label="Share link: Key Management System (KMS) Integration"> Share link </button> </h2><div id="headingShareModal" class="heading-share-modal" role="dialog" aria-modal="true" aria-labelledby="headingShareTitle" hidden> <div class="hsm-dialog" role="document"> <div class="hsm-header"> <h2 id="headingShareTitle" class="h6 mb-0 fw-bold">Share this section</h2> <button type="button" class="hsm-close" aria-label="Close"> </button> </div> <div class="hsm-body"> <label for="headingShareInput" class="form-label small text-muted mb-1 text-uppercase fw-bold" style="font-size: 0.7rem; letter-spacing: 0.5px;">Permalink</label> <div class="input-group mb-4 hsm-url-group"> <input id="headingShareInput" type="text" class="form-control font-monospace" readonly aria-readonly="true" style="font-size: 0.85rem;" /> <button class="btn btn-primary hsm-copy" type="button" aria-label="Copy" title="Copy"> </button> </div> <div class="small fw-bold mb-2 text-muted text-uppercase" style="font-size: 0.7rem; letter-spacing: 0.5px;">Share via</div> <div class="hsm-share-grid"> <a id="share-twitter" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> Twitter </a> <a id="share-linkedin" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> LinkedIn </a> <a id="share-facebook" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> Facebook </a> </div> </div> </div> </div> <style> .heading-share-modal { position: fixed; inset: 0; display: flex; justify-content: center; align-items: center; background: rgba(0, 0, 0, 0.6); z-index: 1050; padding: 1rem; backdrop-filter: blur(4px); -webkit-backdrop-filter: blur(4px); } .heading-share-modal[hidden] { display: none !important; } .hsm-dialog { max-width: 420px; width: 100%; background: var(--bs-body-bg, #fff); color: var(--bs-body-color, #212529); border: 1px solid var(--bs-border-color, rgba(0,0,0,0.1)); border-radius: 1rem; box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25); overflow: hidden; animation: hsm-fade-in 0.2s ease-out; } @keyframes hsm-fade-in { from { opacity: 0; transform: scale(0.95); } to { opacity: 1; transform: scale(1); } } [data-bs-theme="dark"] .hsm-dialog { background: #1e293b; border-color: rgba(255,255,255,0.1); color: #f8f9fa; } .hsm-header { display: flex; justify-content: space-between; align-items: center; padding: 1rem 1.5rem; border-bottom: 1px solid var(--bs-border-color, rgba(0,0,0,0.1)); background: rgba(0,0,0,0.02); } [data-bs-theme="dark"] .hsm-header { background: rgba(255,255,255,0.02); border-color: rgba(255,255,255,0.1); } .hsm-close { background: transparent; border: none; color: inherit; opacity: 0.5; padding: 0.25rem 0.5rem; border-radius: 0.25rem; font-size: 1.2rem; line-height: 1; transition: opacity 0.2s; } .hsm-close:hover { opacity: 1; } .hsm-body { padding: 1.5rem; } .hsm-url-group { display: flex !important; align-items: stretch; } .hsm-url-group .form-control { flex: 1; min-width: 0; margin: 0; background: var(--bs-secondary-bg, #f8f9fa); border-color: var(--bs-border-color, #dee2e6); border-top-right-radius: 0; border-bottom-right-radius: 0; height: 42px; } .hsm-url-group .btn { flex: 0 0 auto; margin: 0; margin-left: -1px; border-top-left-radius: 0; border-bottom-left-radius: 0; height: 42px; display: flex; align-items: center; justify-content: center; padding: 0 1.25rem; z-index: 2; } [data-bs-theme="dark"] .hsm-url-group .form-control { background: #0f172a; border-color: #334155; color: #e2e8f0; } .hsm-share-grid { display: flex; flex-direction: column; gap: 0.5rem; } .hsm-share-grid .btn { display: flex; align-items: center; justify-content: center; font-size: 0.9rem; padding: 0.6rem; border-color: var(--bs-border-color); width: 100%; } [data-bs-theme="dark"] .hsm-share-grid .btn { color: #e2e8f0; border-color: #475569; } [data-bs-theme="dark"] .hsm-share-grid .btn:hover { background: #334155; border-color: #cbd5e1; } </style> <script> (function(){ const modal = document.getElementById('headingShareModal'); if(!modal) return; const input = modal.querySelector('#headingShareInput'); const copyBtn = modal.querySelector('.hsm-copy'); const twitter = modal.querySelector('#share-twitter'); const linkedin = modal.querySelector('#share-linkedin'); const facebook = modal.querySelector('#share-facebook'); const closeBtn = modal.querySelector('.hsm-close'); let lastFocus=null; let trapBound=false; function buildUrl(id){ return window.location.origin + window.location.pathname + '#' + id; } function isOpen(){ return !modal.hasAttribute('hidden'); } function hydrate(id){ const url=buildUrl(id); input.value=url; const enc=encodeURIComponent(url); const text=encodeURIComponent(document.title); if(twitter) twitter.href=`https://twitter.com/intent/tweet?url=${enc}&text=${text}`; if(linkedin) linkedin.href=`https://www.linkedin.com/sharing/share-offsite/?url=${enc}`; if(facebook) facebook.href=`https://www.facebook.com/sharer/sharer.php?u=${enc}`; } function openModal(id){ lastFocus=document.activeElement; hydrate(id); if(!isOpen()){ modal.removeAttribute('hidden'); } requestAnimationFrame(()=>{ input.focus(); }); trapFocus(); } function closeModal(){ if(!isOpen()) return; modal.setAttribute('hidden',''); if(lastFocus && typeof lastFocus.focus==='function') lastFocus.focus(); } function copyCurrent(){ try{ navigator.clipboard.writeText(input.value).then(()=>feedback(true),()=>fallback()); } catch(e){ fallback(); } } function fallback(){ input.select(); try{ document.execCommand('copy'); feedback(true);}catch(e){ feedback(false);} } function feedback(ok){ if(!copyBtn) return; const icon=copyBtn.querySelector('i'); if(!icon) return; const prev=copyBtn.getAttribute('data-prev')||icon.className; if(!copyBtn.getAttribute('data-prev')) copyBtn.setAttribute('data-prev',prev); icon.className= ok ? 'fa-duotone fa-clipboard-check':'fa-duotone fa-circle-exclamation'; setTimeout(()=>{ icon.className=prev; },1800); } function handleShareClick(e){ e.preventDefault(); const btn=e.currentTarget; const id=btn.getAttribute('data-share-target'); if(id) openModal(id); } function bindShareButtons(){ document.querySelectorAll('.h-share').forEach(btn=>{ if(!btn.dataset.hShareBound){ btn.addEventListener('click', handleShareClick); btn.dataset.hShareBound='1'; } }); } bindShareButtons(); if(document.readyState==='loading'){ document.addEventListener('DOMContentLoaded', bindShareButtons); } else { requestAnimationFrame(bindShareButtons); } document.addEventListener('click', function(e){ const shareBtn=e.target.closest && e.target.closest('.h-share'); if(shareBtn && !shareBtn.dataset.hShareBound){ handleShareClick.call(shareBtn, e); } }, true); document.addEventListener('click', e=>{ if(e.target===modal) closeModal(); if(e.target.closest && e.target.closest('.hsm-close')){ e.preventDefault(); closeModal(); } if(copyBtn && (e.target===copyBtn || (e.target.closest && e.target.closest('.hsm-copy')))) { e.preventDefault(); copyCurrent(); } }); document.addEventListener('keydown', e=>{ if(e.key==='Escape' && isOpen()) closeModal(); }); function trapFocus(){ if(trapBound) return; trapBound=true; modal.addEventListener('keydown', f=>{ if(f.key==='Tab' && isOpen()){ const focusable=[...modal.querySelectorAll('a[href],button,input,textarea,select,[tabindex]:not([tabindex="-1"])')].filter(el=>!el.hasAttribute('disabled')); if(!focusable.length) return; const first=focusable[0]; const last=focusable[focusable.length-1]; if(f.shiftKey && document.activeElement===first){ f.preventDefault(); last.focus(); } else if(!f.shiftKey && document.activeElement===last){ f.preventDefault(); first.focus(); } } }); } if(closeBtn) closeBtn.addEventListener('click', e=>{ e.preventDefault(); closeModal(); }); })(); </script>Geode provides enterprise-grade Key Management Service integration for Transparent Data Encryption (TDE) with support for multiple KMS providers, automated key rotation, and comprehensive audit trails. <h3 id="overview" class="position-relative d-flex align-items-center group"> Overview <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="overview" aria-haspopup="dialog" aria-label="Share link: Overview"> Share link </button> </h3> <h4 id="why-use-external-kms" class="position-relative d-flex align-items-center group"> Why Use External KMS? <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="why-use-external-kms" aria-haspopup="dialog" aria-label="Share link: Why Use External KMS?"> Share link </button> </h4>External Key Management Systems provide: <ul> <li>Centralized Key Storage: Master keys stored in hardware security modules (HSM)</li> <li>Access Control: Fine-grained permissions and multi-factor authentication</li> <li>Audit Trails: Complete key access logging for compliance</li> <li>Key Rotation: Automated rotation with policy enforcement</li> <li>Disaster Recovery: Key backup and replication across regions</li> <li>Compliance: SOX, PCI-DSS, HIPAA, GDPR requirements</li> </ul> <h4 id="architecture" class="position-relative d-flex align-items-center group"> Architecture <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="architecture" aria-haspopup="dialog" aria-label="Share link: Architecture"> Share link </button> </h4>Geode uses envelope encryption for optimal security and performance: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback">Master Key (in KMS - HSM-backed) └─ Data Encryption Key (DEK, wrapped by master) ├─ Data Page Encryption └─ WAL Record Encryption </code></pre></div>Benefits: <ul> <li>Master keys never leave KMS</li> <li>DEKs encrypted at rest (wrapped)</li> <li>Fast local encryption with DEKs</li> <li>Master key rotation without re-encrypting data</li> </ul> <h3 id="supported-kms-providers" class="position-relative d-flex align-items-center group"> Supported KMS Providers <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="supported-kms-providers" aria-haspopup="dialog" aria-label="Share link: Supported KMS Providers"> Share link </button> </h3><table> <thead> <tr> <th>Provider</th> <th>Use Case</th> <th>Features</th> </tr> </thead> <tbody> <tr> <td>HashiCorp Vault</td> <td>Enterprise, on-premise</td> <td>Transit engine, dynamic secrets, audit</td> </tr> <tr> <td>AWS KMS</td> <td>Cloud native AWS</td> <td>HSM-backed, multi-region, automatic rotation</td> </tr> <tr> <td>Azure Key Vault</td> <td>Cloud native Azure</td> <td>HSM-backed, RBAC, managed keys</td> </tr> <tr> <td>GCP Cloud KMS</td> <td>Cloud native GCP</td> <td>HSM-backed, IAM integration</td> </tr> <tr> <td>Environment Variable</td> <td>Development only</td> <td>Simple config, NOT for production</td> </tr> <tr> <td>File-based</td> <td>Local testing</td> <td>File storage, NOT for production</td> </tr> </tbody> </table> <h3 id="quick-start" class="position-relative d-flex align-items-center group"> Quick Start <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="quick-start" aria-haspopup="dialog" aria-label="Share link: Quick Start"> Share link </button> </h3> <h4 id="using-hashicorp-vault" class="position-relative d-flex align-items-center group"> Using HashiCorp Vault <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="using-hashicorp-vault" aria-haspopup="dialog" aria-label="Share link: Using HashiCorp Vault"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># 1. Set Vault environment export VAULT_ADDR="https://vault.company.com" export VAULT_TOKEN="hvs.CAESI..." # 2. Configure Geode export GEODE_KMS_PROVIDER="vault" export GEODE_VAULT_KEY_PATH="geode/encryption" # 3. Start Geode with Vault-backed TDE ./geode serve --enable-tde --kms-provider vault </code></pre></div> <h4 id="using-aws-kms" class="position-relative d-flex align-items-center group"> Using AWS KMS <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="using-aws-kms" aria-haspopup="dialog" aria-label="Share link: Using AWS KMS"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># 1. Set AWS credentials export AWS_REGION="us-east-1" export AWS_ACCESS_KEY_ID="AKIA..." export AWS_SECRET_ACCESS_KEY="..." # 2. Configure Geode export GEODE_KMS_PROVIDER="aws" export GEODE_AWS_KMS_KEY_ID="arn:aws:kms:us-east-1:123456789012:key/..." # 3. Start Geode ./geode serve --enable-tde --kms-provider aws </code></pre></div> <h3 id="hashicorp-vault-integration" class="position-relative d-flex align-items-center group"> HashiCorp Vault Integration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="hashicorp-vault-integration" aria-haspopup="dialog" aria-label="Share link: HashiCorp Vault Integration"> Share link </button> </h3> <h4 id="prerequisites" class="position-relative d-flex align-items-center group"> Prerequisites <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="prerequisites" aria-haspopup="dialog" aria-label="Share link: Prerequisites"> Share link </button> </h4><ul> <li>Vault 1.15.0+</li> <li>Vault transit engine enabled</li> <li>Valid authentication token</li> <li>Network access to Vault server</li> </ul> <h4 id="setup-steps" class="position-relative d-flex align-items-center group"> Setup Steps <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="setup-steps" aria-haspopup="dialog" aria-label="Share link: Setup Steps"> Share link </button> </h4> <h5 id="1-enable-vault-transit-engine" class="position-relative d-flex align-items-center group"> 1. Enable Vault Transit Engine <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="1-enable-vault-transit-engine" aria-haspopup="dialog" aria-label="Share link: 1. Enable Vault Transit Engine"> Share link </button> </h5><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Enable transit secrets engine vault secrets enable -path=geode transit # Create encryption key vault write -f geode/keys/master-key </code></pre></div> <h5 id="2-configure-vault-policy" class="position-relative d-flex align-items-center group"> 2. Configure Vault Policy <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="2-configure-vault-policy" aria-haspopup="dialog" aria-label="Share link: 2. Configure Vault Policy"> Share link </button> </h5><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Create policy for Geode vault policy write geode-tde - <<EOF path "geode/keys/master-key" { capabilities = ["read"] } path "geode/encrypt/*" { capabilities = ["create", "update"] } path "geode/decrypt/*" { capabilities = ["create", "update"] } path "geode/keys/master-key/rotate" { capabilities = ["update"] } EOF # Create token with policy vault token create -policy=geode-tde -ttl=8760h </code></pre></div> <h5 id="3-configure-geode" class="position-relative d-flex align-items-center group"> 3. Configure Geode <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="3-configure-geode" aria-haspopup="dialog" aria-label="Share link: 3. Configure Geode"> Share link </button> </h5>Create <code>geode.yaml</code>: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: tde: enabled: true kms: provider: vault vault: address: "https://vault.company.com:8200" token: "${VAULT_TOKEN}" key_path: "geode/keys/master-key" namespace: "geode" # Optional tls_verify: true ca_cert: "/etc/geode/vault-ca.pem" # Optional </code></pre></div>Start Geode: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash">export VAULT_TOKEN="hvs.CAESI..." ./geode serve --config geode.yaml </code></pre></div> <h4 id="vault-operations" class="position-relative d-flex align-items-center group"> Vault Operations <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="vault-operations" aria-haspopup="dialog" aria-label="Share link: Vault Operations"> Share link </button> </h4> <h5 id="encrypt-data-key" class="position-relative d-flex align-items-center group"> Encrypt Data Key <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="encrypt-data-key" aria-haspopup="dialog" aria-label="Share link: Encrypt Data Key"> Share link </button> </h5><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Geode automatically wraps DEKs # Manual example: vault write geode/encrypt/master-key \ plaintext=$(echo -n "data-encryption-key-32-bytes" | base64) </code></pre></div> <h5 id="decrypt-data-key" class="position-relative d-flex align-items-center group"> Decrypt Data Key <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="decrypt-data-key" aria-haspopup="dialog" aria-label="Share link: Decrypt Data Key"> Share link </button> </h5><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash">vault write geode/decrypt/master-key \ ciphertext="vault:v1:abcd1234..." </code></pre></div> <h5 id="rotate-master-key" class="position-relative d-flex align-items-center group"> Rotate Master Key <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="rotate-master-key" aria-haspopup="dialog" aria-label="Share link: Rotate Master Key"> Share link </button> </h5><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Rotate Vault key vault write -f geode/keys/master-key/rotate # Trigger Geode rewrap geode key rewrap --kms-provider vault </code></pre></div> <h4 id="high-availability" class="position-relative d-flex align-items-center group"> High Availability <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="high-availability" aria-haspopup="dialog" aria-label="Share link: High Availability"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: tde: kms: vault: address: "https://vault-cluster.company.com:8200" max_retries: 3 timeout: 30s standby_addresses: - "https://vault-1.company.com:8200" - "https://vault-2.company.com:8200" - "https://vault-3.company.com:8200" </code></pre></div> <h3 id="aws-kms-integration" class="position-relative d-flex align-items-center group"> AWS KMS Integration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="aws-kms-integration" aria-haspopup="dialog" aria-label="Share link: AWS KMS Integration"> Share link </button> </h3> <h4 id="prerequisites-1" class="position-relative d-flex align-items-center group"> Prerequisites <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="prerequisites-1" aria-haspopup="dialog" aria-label="Share link: Prerequisites"> Share link </button> </h4><ul> <li>AWS account with KMS permissions</li> <li>IAM role or access keys</li> <li>KMS key created in desired region</li> </ul> <h4 id="setup-steps-1" class="position-relative d-flex align-items-center group"> Setup Steps <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="setup-steps-1" aria-haspopup="dialog" aria-label="Share link: Setup Steps"> Share link </button> </h4> <h5 id="1-create-kms-key" class="position-relative d-flex align-items-center group"> 1. Create KMS Key <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="1-create-kms-key" aria-haspopup="dialog" aria-label="Share link: 1. Create KMS Key"> Share link </button> </h5><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Create customer-managed key aws kms create-key \ --description "Geode TDE Master Key" \ --key-usage ENCRYPT_DECRYPT \ --origin AWS_KMS \ --multi-region # Create alias aws kms create-alias \ --alias-name alias/geode-tde \ --target-key-id <key-id> </code></pre></div> <h5 id="2-configure-iam-policy" class="position-relative d-flex align-items-center group"> 2. Configure IAM Policy <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="2-configure-iam-policy" aria-haspopup="dialog" aria-label="Share link: 2. Configure IAM Policy"> Share link </button> </h5><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:DescribeKey", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "arn:aws:kms:*:123456789012:key/*", "Condition": { "StringEquals": { "kms:EncryptionContext:Application": "Geode" } } } ] } </code></pre></div> <h5 id="3-configure-geode-1" class="position-relative d-flex align-items-center group"> 3. Configure Geode <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="3-configure-geode-1" aria-haspopup="dialog" aria-label="Share link: 3. Configure Geode"> Share link </button> </h5><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: tde: enabled: true kms: provider: aws aws: region: "us-east-1" key_id: "arn:aws:kms:us-east-1:123456789012:key/..." # Or use alias: # key_id: "alias/geode-tde" encryption_context: Application: "Geode" Environment: "production" </code></pre></div> <h4 id="multi-region-deployment" class="position-relative d-flex align-items-center group"> Multi-Region Deployment <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="multi-region-deployment" aria-haspopup="dialog" aria-label="Share link: Multi-Region Deployment"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: tde: kms: aws: # Primary region region: "us-east-1" key_id: "arn:aws:kms:us-east-1:123456789012:key/..." # Replicas for DR replica_keys: eu-west-1: "arn:aws:kms:eu-west-1:123456789012:key/..." ap-southeast-1: "arn:aws:kms:ap-southeast-1:123456789012:key/..." </code></pre></div> <h4 id="cost-optimization" class="position-relative d-flex align-items-center group"> Cost Optimization <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="cost-optimization" aria-haspopup="dialog" aria-label="Share link: Cost Optimization"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: tde: kms: aws: # Cache DEK for 1 hour data_key_cache_seconds: 3600 # Use 256-bit keys data_key_spec: "AES_256" </code></pre></div>Estimated costs (AWS pricing): <ul> <li>Key storage: $1/month per key</li> <li>API requests: $0.03 per 10,000 requests</li> <li>With 1-hour cache: ~$5/month for 1M operations/day</li> </ul> <h3 id="azure-key-vault-integration" class="position-relative d-flex align-items-center group"> Azure Key Vault Integration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="azure-key-vault-integration" aria-haspopup="dialog" aria-label="Share link: Azure Key Vault Integration"> Share link </button> </h3> <h4 id="setup-steps-2" class="position-relative d-flex align-items-center group"> Setup Steps <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="setup-steps-2" aria-haspopup="dialog" aria-label="Share link: Setup Steps"> Share link </button> </h4> <h5 id="1-create-key-vault" class="position-relative d-flex align-items-center group"> 1. Create Key Vault <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="1-create-key-vault" aria-haspopup="dialog" aria-label="Share link: 1. Create Key Vault"> Share link </button> </h5><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Create Key Vault az keyvault create \ --name geode-kms \ --resource-group geode-rg \ --location eastus \ --enable-purge-protection true # Create encryption key az keyvault key create \ --vault-name geode-kms \ --name geode-master-key \ --protection hsm \ --ops encrypt decrypt wrapKey unwrapKey </code></pre></div> <h5 id="2-configure-managed-identity" class="position-relative d-flex align-items-center group"> 2. Configure Managed Identity <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="2-configure-managed-identity" aria-haspopup="dialog" aria-label="Share link: 2. Configure Managed Identity"> Share link </button> </h5><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Create managed identity for Geode az identity create \ --name geode-identity \ --resource-group geode-rg # Grant key permissions az keyvault set-policy \ --name geode-kms \ --object-id <identity-object-id> \ --key-permissions encrypt decrypt wrapKey unwrapKey get </code></pre></div> <h5 id="3-configure-geode-2" class="position-relative d-flex align-items-center group"> 3. Configure Geode <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="3-configure-geode-2" aria-haspopup="dialog" aria-label="Share link: 3. Configure Geode"> Share link </button> </h5><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: tde: kms: provider: azure azure: vault_url: "https://geode-kms.vault.azure.net/" key_name: "geode-master-key" tenant_id: "..." client_id: "..." # Managed identity # Or use client secret: # client_secret: "${AZURE_CLIENT_SECRET}" </code></pre></div> <h3 id="gcp-cloud-kms-integration" class="position-relative d-flex align-items-center group"> GCP Cloud KMS Integration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="gcp-cloud-kms-integration" aria-haspopup="dialog" aria-label="Share link: GCP Cloud KMS Integration"> Share link </button> </h3> <h4 id="setup-steps-3" class="position-relative d-flex align-items-center group"> Setup Steps <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="setup-steps-3" aria-haspopup="dialog" aria-label="Share link: Setup Steps"> Share link </button> </h4> <h5 id="1-create-keyring-and-key" class="position-relative d-flex align-items-center group"> 1. Create Keyring and Key <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="1-create-keyring-and-key" aria-haspopup="dialog" aria-label="Share link: 1. Create Keyring and Key"> Share link </button> </h5><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Create keyring gcloud kms keyrings create geode-keyring \ --location us-east1 # Create key gcloud kms keys create geode-master-key \ --location us-east1 \ --keyring geode-keyring \ --purpose encryption \ --protection-level hsm </code></pre></div> <h5 id="2-configure-iam" class="position-relative d-flex align-items-center group"> 2. Configure IAM <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="2-configure-iam" aria-haspopup="dialog" aria-label="Share link: 2. Configure IAM"> Share link </button> </h5><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Grant Geode service account permissions gcloud kms keys add-iam-policy-binding geode-master-key \ --location us-east1 \ --keyring geode-keyring \ --member serviceAccount:[email protected] \ --role roles/cloudkms.cryptoKeyEncrypterDecrypter </code></pre></div> <h5 id="3-configure-geode-3" class="position-relative d-flex align-items-center group"> 3. Configure Geode <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="3-configure-geode-3" aria-haspopup="dialog" aria-label="Share link: 3. Configure Geode"> Share link </button> </h5><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: tde: kms: provider: gcp gcp: project_id: "my-project" location: "us-east1" keyring: "geode-keyring" key_name: "geode-master-key" credentials_file: "/etc/geode/gcp-credentials.json" </code></pre></div> <h3 id="key-rotation" class="position-relative d-flex align-items-center group"> Key Rotation <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="key-rotation" aria-haspopup="dialog" aria-label="Share link: Key Rotation"> Share link </button> </h3> <h4 id="automatic-rotation" class="position-relative d-flex align-items-center group"> Automatic Rotation <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="automatic-rotation" aria-haspopup="dialog" aria-label="Share link: Automatic Rotation"> Share link </button> </h4>Configure automatic rotation policies: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: tde: rotation: enabled: true schedule: "0 0 * * 0" # Weekly on Sunday min_age: "90d" max_age: "365d" rewrap_on_rotate: true </code></pre></div> <h4 id="manual-rotation" class="position-relative d-flex align-items-center group"> Manual Rotation <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="manual-rotation" aria-haspopup="dialog" aria-label="Share link: Manual Rotation"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Rotate master key in KMS geode key rotate --scope master # Rewrap all DEKs with new master key geode key rewrap --all # Check rotation status geode key status </code></pre></div>Output: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback">Master Key Status: Current Version: v3 Created: 2026-01-15 10:30:00 UTC Rotated: 2026-01-20 14:22:00 UTC Next Rotation: 2026-04-20 (in 89 days) Data Encryption Keys: Active DEKs: 2 Rewrap Progress: 100% (5,234 / 5,234 keys) Last Rewrap: 2026-01-20 14:25:33 UTC </code></pre></div> <h4 id="rotation-best-practices" class="position-relative d-flex align-items-center group"> Rotation Best Practices <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="rotation-best-practices" aria-haspopup="dialog" aria-label="Share link: Rotation Best Practices"> Share link </button> </h4><ol> <li>Schedule regular rotations: 90 days for compliance, 365 days for balance</li> <li>Test in staging: Verify rotation process before production</li> <li>Monitor progress: Track rewrap completion</li> <li>Backup before rotation: Create backup before major key changes</li> <li>Audit rotation events: Log all rotation activities</li> </ol> <h3 id="performance--optimization" class="position-relative d-flex align-items-center group"> Performance &amp; Optimization <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="performance--optimization" aria-haspopup="dialog" aria-label="Share link: Performance &amp; Optimization"> Share link </button> </h3> <h4 id="benchmarks" class="position-relative d-flex align-items-center group"> Benchmarks <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="benchmarks" aria-haspopup="dialog" aria-label="Share link: Benchmarks"> Share link </button> </h4><table> <thead> <tr> <th>Operation</th> <th>Expected Behavior</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>DEK wrap/unwrap</td> <td>External KMS latency (milliseconds-scale)</td> <td>Primarily at startup or rotation</td> </tr> <tr> <td>DEK cache hit</td> <td>Microsecond-scale</td> <td>Hot path</td> </tr> <tr> <td>Page encryption (local DEK)</td> <td>Sub-millisecond</td> <td>Low overhead</td> </tr> <tr> <td>KMS API call</td> <td>External latency</td> <td>Cached and infrequent</td> </tr> </tbody> </table> <h4 id="caching-strategy" class="position-relative d-flex align-items-center group"> Caching Strategy <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="caching-strategy" aria-haspopup="dialog" aria-label="Share link: Caching Strategy"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: tde: kms: cache: enabled: true ttl: 3600 # 1 hour max_size: 1000 # DEKs eviction: "lru" </code></pre></div>Cache behavior: <ul> <li>DEKs cached after unwrap</li> <li>Automatic refresh before expiry</li> <li>LRU eviction under memory pressure</li> <li>Track cache hit rate with telemetry and tune TTL/size</li> </ul> <h4 id="connection-pooling" class="position-relative d-flex align-items-center group"> Connection Pooling <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="connection-pooling" aria-haspopup="dialog" aria-label="Share link: Connection Pooling"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: tde: kms: vault: connection_pool: max_connections: 10 idle_timeout: 300s connection_timeout: 30s </code></pre></div> <h3 id="security-best-practices" class="position-relative d-flex align-items-center group"> Security Best Practices <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="security-best-practices" aria-haspopup="dialog" aria-label="Share link: Security Best Practices"> Share link </button> </h3> <h4 id="key-lifecycle" class="position-relative d-flex align-items-center group"> Key Lifecycle <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="key-lifecycle" aria-haspopup="dialog" aria-label="Share link: Key Lifecycle"> Share link </button> </h4><ol> <li>Generation: Use KMS native key generation (HSM-backed)</li> <li>Storage: Never store plaintext master keys</li> <li>Access: Restrict KMS permissions to Geode service account only</li> <li>Rotation: Regular rotation (90-365 days)</li> <li>Destruction: Secure key destruction per compliance requirements</li> </ol> <h4 id="network-security" class="position-relative d-flex align-items-center group"> Network Security <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="network-security" aria-haspopup="dialog" aria-label="Share link: Network Security"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: tde: kms: vault: tls_verify: true ca_cert: "/etc/geode/ca.pem" client_cert: "/etc/geode/client.pem" # mTLS client_key: "/etc/geode/client-key.pem" min_tls_version: "1.3" </code></pre></div> <h4 id="authentication" class="position-relative d-flex align-items-center group"> Authentication <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="authentication" aria-haspopup="dialog" aria-label="Share link: Authentication"> Share link </button> </h4>Vault: <ul> <li>Use short-lived tokens (8-24 hours)</li> <li>Rotate tokens regularly</li> <li>Use Vault agents for token renewal</li> <li>Avoid hardcoding tokens</li> </ul> AWS: <ul> <li>Use IAM roles (not access keys)</li> <li>Enable MFA for key operations</li> <li>Use condition keys in policies</li> <li>Audit key usage with CloudTrail</li> </ul> Azure: <ul> <li>Use managed identities</li> <li>Enable Key Vault firewall</li> <li>Require VNet integration</li> <li>Monitor with Azure Monitor</li> </ul> <h4 id="audit--compliance" class="position-relative d-flex align-items-center group"> Audit &amp; Compliance <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="audit--compliance" aria-haspopup="dialog" aria-label="Share link: Audit &amp; Compliance"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: tde: audit: enabled: true log_key_operations: true log_rotation_events: true log_rewrap_operations: true output: "/var/log/geode/kms-audit.log" format: "json" </code></pre></div>Audit log example: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "timestamp": "2026-01-24T10:30:00Z", "operation": "unwrap_dek", "kms_provider": "vault", "key_id": "master-key-v3", "dek_id": "dek-12345", "user": "geode-service", "result": "success", "latency_ms": 45 } </code></pre></div> <h3 id="disaster-recovery" class="position-relative d-flex align-items-center group"> Disaster Recovery <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="disaster-recovery" aria-haspopup="dialog" aria-label="Share link: Disaster Recovery"> Share link </button> </h3> <h4 id="backup-strategy" class="position-relative d-flex align-items-center group"> Backup Strategy <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="backup-strategy" aria-haspopup="dialog" aria-label="Share link: Backup Strategy"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Backup KMS configuration geode backup kms-config --output /backup/kms-config.json # Backup encrypted DEKs (wrapped) geode backup deks --output /backup/deks-encrypted.json # Backup rotation state geode backup rotation-state --output /backup/rotation.json </code></pre></div> <h4 id="recovery-process" class="position-relative d-flex align-items-center group"> Recovery Process <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="recovery-process" aria-haspopup="dialog" aria-label="Share link: Recovery Process"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># 1. Restore KMS configuration geode restore kms-config --input /backup/kms-config.json # 2. Verify KMS connectivity geode verify kms --provider vault # 3. Restore DEKs geode restore deks --input /backup/deks-encrypted.json # 4. Restore rotation state geode restore rotation-state --input /backup/rotation.json # 5. Verify data access geode query "RETURN 1" --verify-encryption </code></pre></div> <h4 id="multi-region-failover" class="position-relative d-flex align-items-center group"> Multi-Region Failover <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="multi-region-failover" aria-haspopup="dialog" aria-label="Share link: Multi-Region Failover"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: tde: kms: failover: enabled: true primary: "vault-us-east.company.com" replicas: - "vault-us-west.company.com" - "vault-eu-west.company.com" health_check_interval: 30s failover_timeout: 10s </code></pre></div> <h3 id="troubleshooting" class="position-relative d-flex align-items-center group"> Troubleshooting <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="troubleshooting" aria-haspopup="dialog" aria-label="Share link: Troubleshooting"> Share link </button> </h3> <h4 id="issue-kms-connection-failures" class="position-relative d-flex align-items-center group"> Issue: KMS Connection Failures <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="issue-kms-connection-failures" aria-haspopup="dialog" aria-label="Share link: Issue: KMS Connection Failures"> Share link </button> </h4>Error: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback">Error: Failed to connect to KMS provider: connection timeout </code></pre></div>Diagnosis: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Test network connectivity curl -v https://vault.company.com:8200/v1/sys/health # Verify credentials vault token lookup # Check Geode logs tail -f /var/log/geode/kms.log </code></pre></div>Solutions: <ol> <li>Verify network access (firewall, VPN)</li> <li>Check KMS service health</li> <li>Validate credentials/tokens</li> <li>Review timeout settings</li> </ol> <h4 id="issue-dek-unwrap-failures" class="position-relative d-flex align-items-center group"> Issue: DEK Unwrap Failures <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="issue-dek-unwrap-failures" aria-haspopup="dialog" aria-label="Share link: Issue: DEK Unwrap Failures"> Share link </button> </h4>Error: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback">Error: Failed to unwrap data encryption key: invalid ciphertext </code></pre></div>Causes: <ul> <li>Corrupted wrapped DEK</li> <li>Wrong master key version</li> <li>KMS key deleted</li> </ul> Solutions: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Check key status geode key status --verbose # Verify KMS key exists vault read geode/keys/master-key # Attempt rewrap geode key rewrap --force --dek-id <id> </code></pre></div> <h4 id="issue-high-kms-latency" class="position-relative d-flex align-items-center group"> Issue: High KMS Latency <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="issue-high-kms-latency" aria-haspopup="dialog" aria-label="Share link: Issue: High KMS Latency"> Share link </button> </h4>Symptom: Slow database startup or high operation latency Diagnosis: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Profile KMS operations geode profile kms --duration 60s # Check cache hit rate geode stats kms-cache </code></pre></div>Solutions: <ol> <li>Increase DEK cache TTL</li> <li>Use connection pooling</li> <li>Deploy regional KMS replicas</li> <li>Enable local cache warmup</li> </ol> <h3 id="compliance--standards" class="position-relative d-flex align-items-center group"> Compliance &amp; Standards <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="compliance--standards" aria-haspopup="dialog" aria-label="Share link: Compliance &amp; Standards"> Share link </button> </h3> <h4 id="regulatory-requirements" class="position-relative d-flex align-items-center group"> Regulatory Requirements <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="regulatory-requirements" aria-haspopup="dialog" aria-label="Share link: Regulatory Requirements"> Share link </button> </h4><table> <thead> <tr> <th>Regulation</th> <th>Requirement</th> <th>Geode Support</th> </tr> </thead> <tbody> <tr> <td>PCI-DSS</td> <td>Key rotation every 365 days</td> <td>✅ Automated rotation</td> </tr> <tr> <td>HIPAA</td> <td>Encryption key management</td> <td>✅ KMS integration</td> </tr> <tr> <td>SOX</td> <td>Access control & audit</td> <td>✅ Complete audit trail</td> </tr> <tr> <td>GDPR</td> <td>Data protection at rest</td> <td>✅ TDE with KMS</td> </tr> <tr> <td>FIPS 140-2</td> <td>HSM-backed keys</td> <td>✅ Vault/AWS KMS HSM</td> </tr> </tbody> </table> <h4 id="audit-requirements" class="position-relative d-flex align-items-center group"> Audit Requirements <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="audit-requirements" aria-haspopup="dialog" aria-label="Share link: Audit Requirements"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">security: tde: audit: # PCI-DSS requirements log_all_key_access: true log_failed_operations: true log_rotation_events: true # SOX requirements tamper_proof_logs: true log_retention_days: 2555 # 7 years # HIPAA requirements encryption_algorithm_logging: true key_lifecycle_logging: true </code></pre></div> <h3 id="next-steps" class="position-relative d-flex align-items-center group"> Next Steps <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="next-steps" aria-haspopup="dialog" aria-label="Share link: Next Steps"> Share link </button> </h3><ul> <li><a href="/docs/security/field-level-encryption/" >Field-Level Encryption</a> - Selective field encryption</li> <li><a href="/docs/security/overview/" >Security Overview</a> - Complete security architecture</li> <li><a href="/docs/security/field-level-encryption/" >Field-Level Encryption</a> - TDE and field-level encryption details</li> <li><a href="/docs/guides/backup-automation/" >Backup Automation</a> - Backup integration with KMS</li> <li><a href="/docs/configuration/server-configuration/" >Server Configuration</a> - KMS configuration options</li> </ul> <h3 id="references" class="position-relative d-flex align-items-center group"> References <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="references" aria-haspopup="dialog" aria-label="Share link: References"> Share link </button> </h3><ul> <li><a href="https://developer.hashicorp.com/vault/docs/secrets/transit" aria-label="HashiCorp Vault Transit – opens in new window" target="_blank" rel="noopener noreferrer" >HashiCorp Vault Transit ↗ </a> - Vault encryption engine</li> <li><a href="https://docs.aws.amazon.com/kms/" aria-label="AWS KMS Documentation – opens in new window" target="_blank" rel="noopener noreferrer" >AWS KMS Documentation ↗ </a> - AWS key management</li> <li><a href="https://learn.microsoft.com/en-us/azure/key-vault/" aria-label="Azure Key Vault – opens in new window" target="_blank" rel="noopener noreferrer" >Azure Key Vault ↗ </a> - Azure KMS</li> <li><a href="https://cloud.google.com/kms/docs" aria-label="GCP Cloud KMS – opens in new window" target="_blank" rel="noopener noreferrer" >GCP Cloud KMS ↗ </a> - Google Cloud KMS</li> <li><a href="https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final" aria-label="NIST SP 800-57 – opens in new window" target="_blank" rel="noopener noreferrer" >NIST SP 800-57 ↗ </a> - Key management</li> </ul> <hr> License: Apache License 2.0 Copyright: 2024-2025 CodePros Last Updated: January 2026