Cryptography and Cryptographic Primitives

Geode employs modern, industry-standard cryptographic primitives throughout its security architecture. This documentation covers the cryptographic algorithms, protocols, and implementations used to protect data at rest, in transit, and during processing. Understanding these foundations helps security teams evaluate Geode’s security posture and configure appropriate cryptographic settings. <h3 id="cryptographic-overview" class="position-relative d-flex align-items-center group"> Cryptographic Overview <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="cryptographic-overview" aria-haspopup="dialog" aria-label="Share link: Cryptographic Overview"> Share link </button> </h3><div id="headingShareModal" class="heading-share-modal" role="dialog" aria-modal="true" aria-labelledby="headingShareTitle" hidden> <div class="hsm-dialog" role="document"> <div class="hsm-header"> <h2 id="headingShareTitle" class="h6 mb-0 fw-bold">Share this section</h2> <button type="button" class="hsm-close" aria-label="Close"> </button> </div> <div class="hsm-body"> <label for="headingShareInput" class="form-label small text-muted mb-1 text-uppercase fw-bold" style="font-size: 0.7rem; letter-spacing: 0.5px;">Permalink</label> <div class="input-group mb-4 hsm-url-group"> <input id="headingShareInput" type="text" class="form-control font-monospace" readonly aria-readonly="true" style="font-size: 0.85rem;" /> <button class="btn btn-primary hsm-copy" type="button" aria-label="Copy" title="Copy"> </button> </div> <div class="small fw-bold mb-2 text-muted text-uppercase" style="font-size: 0.7rem; letter-spacing: 0.5px;">Share via</div> <div class="hsm-share-grid"> <a id="share-twitter" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> Twitter </a> <a id="share-linkedin" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> LinkedIn </a> <a id="share-facebook" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> Facebook </a> </div> </div> </div> </div> <style> .heading-share-modal { position: fixed; inset: 0; display: flex; justify-content: center; align-items: center; background: rgba(0, 0, 0, 0.6); z-index: 1050; padding: 1rem; backdrop-filter: blur(4px); -webkit-backdrop-filter: blur(4px); } .heading-share-modal[hidden] { display: none !important; } .hsm-dialog { max-width: 420px; width: 100%; background: var(--bs-body-bg, #fff); color: var(--bs-body-color, #212529); border: 1px solid var(--bs-border-color, rgba(0,0,0,0.1)); border-radius: 1rem; box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25); overflow: hidden; animation: hsm-fade-in 0.2s ease-out; } @keyframes hsm-fade-in { from { opacity: 0; transform: scale(0.95); } to { opacity: 1; transform: scale(1); } } [data-bs-theme="dark"] .hsm-dialog { background: #1e293b; border-color: rgba(255,255,255,0.1); color: #f8f9fa; } .hsm-header { display: flex; justify-content: space-between; align-items: center; padding: 1rem 1.5rem; border-bottom: 1px solid var(--bs-border-color, rgba(0,0,0,0.1)); background: rgba(0,0,0,0.02); } [data-bs-theme="dark"] .hsm-header { background: rgba(255,255,255,0.02); border-color: rgba(255,255,255,0.1); } .hsm-close { background: transparent; border: none; color: inherit; opacity: 0.5; padding: 0.25rem 0.5rem; border-radius: 0.25rem; font-size: 1.2rem; line-height: 1; transition: opacity 0.2s; } .hsm-close:hover { opacity: 1; } .hsm-body { padding: 1.5rem; } .hsm-url-group { display: flex !important; align-items: stretch; } .hsm-url-group .form-control { flex: 1; min-width: 0; margin: 0; background: var(--bs-secondary-bg, #f8f9fa); border-color: var(--bs-border-color, #dee2e6); border-top-right-radius: 0; border-bottom-right-radius: 0; height: 42px; } .hsm-url-group .btn { flex: 0 0 auto; margin: 0; margin-left: -1px; border-top-left-radius: 0; border-bottom-left-radius: 0; height: 42px; display: flex; align-items: center; justify-content: center; padding: 0 1.25rem; z-index: 2; } [data-bs-theme="dark"] .hsm-url-group .form-control { background: #0f172a; border-color: #334155; color: #e2e8f0; } .hsm-share-grid { display: flex; flex-direction: column; gap: 0.5rem; } .hsm-share-grid .btn { display: flex; align-items: center; justify-content: center; font-size: 0.9rem; padding: 0.6rem; border-color: var(--bs-border-color); width: 100%; } [data-bs-theme="dark"] .hsm-share-grid .btn { color: #e2e8f0; border-color: #475569; } [data-bs-theme="dark"] .hsm-share-grid .btn:hover { background: #334155; border-color: #cbd5e1; } </style> <script> (function(){ const modal = document.getElementById('headingShareModal'); if(!modal) return; const input = modal.querySelector('#headingShareInput'); const copyBtn = modal.querySelector('.hsm-copy'); const twitter = modal.querySelector('#share-twitter'); const linkedin = modal.querySelector('#share-linkedin'); const facebook = modal.querySelector('#share-facebook'); const closeBtn = modal.querySelector('.hsm-close'); let lastFocus=null; let trapBound=false; function buildUrl(id){ return window.location.origin + window.location.pathname + '#' + id; } function isOpen(){ return !modal.hasAttribute('hidden'); } function hydrate(id){ const url=buildUrl(id); input.value=url; const enc=encodeURIComponent(url); const text=encodeURIComponent(document.title); if(twitter) twitter.href=`https://twitter.com/intent/tweet?url=${enc}&text=${text}`; if(linkedin) linkedin.href=`https://www.linkedin.com/sharing/share-offsite/?url=${enc}`; if(facebook) facebook.href=`https://www.facebook.com/sharer/sharer.php?u=${enc}`; } function openModal(id){ lastFocus=document.activeElement; hydrate(id); if(!isOpen()){ modal.removeAttribute('hidden'); } requestAnimationFrame(()=>{ input.focus(); }); trapFocus(); } function closeModal(){ if(!isOpen()) return; modal.setAttribute('hidden',''); if(lastFocus && typeof lastFocus.focus==='function') lastFocus.focus(); } function copyCurrent(){ try{ navigator.clipboard.writeText(input.value).then(()=>feedback(true),()=>fallback()); } catch(e){ fallback(); } } function fallback(){ input.select(); try{ document.execCommand('copy'); feedback(true);}catch(e){ feedback(false);} } function feedback(ok){ if(!copyBtn) return; const icon=copyBtn.querySelector('i'); if(!icon) return; const prev=copyBtn.getAttribute('data-prev')||icon.className; if(!copyBtn.getAttribute('data-prev')) copyBtn.setAttribute('data-prev',prev); icon.className= ok ? 'fa-duotone fa-clipboard-check':'fa-duotone fa-circle-exclamation'; setTimeout(()=>{ icon.className=prev; },1800); } function handleShareClick(e){ e.preventDefault(); const btn=e.currentTarget; const id=btn.getAttribute('data-share-target'); if(id) openModal(id); } function bindShareButtons(){ document.querySelectorAll('.h-share').forEach(btn=>{ if(!btn.dataset.hShareBound){ btn.addEventListener('click', handleShareClick); btn.dataset.hShareBound='1'; } }); } bindShareButtons(); if(document.readyState==='loading'){ document.addEventListener('DOMContentLoaded', bindShareButtons); } else { requestAnimationFrame(bindShareButtons); } document.addEventListener('click', function(e){ const shareBtn=e.target.closest && e.target.closest('.h-share'); if(shareBtn && !shareBtn.dataset.hShareBound){ handleShareClick.call(shareBtn, e); } }, true); document.addEventListener('click', e=>{ if(e.target===modal) closeModal(); if(e.target.closest && e.target.closest('.hsm-close')){ e.preventDefault(); closeModal(); } if(copyBtn && (e.target===copyBtn || (e.target.closest && e.target.closest('.hsm-copy')))) { e.preventDefault(); copyCurrent(); } }); document.addEventListener('keydown', e=>{ if(e.key==='Escape' && isOpen()) closeModal(); }); function trapFocus(){ if(trapBound) return; trapBound=true; modal.addEventListener('keydown', f=>{ if(f.key==='Tab' && isOpen()){ const focusable=[...modal.querySelectorAll('a[href],button,input,textarea,select,[tabindex]:not([tabindex="-1"])')].filter(el=>!el.hasAttribute('disabled')); if(!focusable.length) return; const first=focusable[0]; const last=focusable[focusable.length-1]; if(f.shiftKey && document.activeElement===first){ f.preventDefault(); last.focus(); } else if(!f.shiftKey && document.activeElement===last){ f.preventDefault(); first.focus(); } } }); } if(closeBtn) closeBtn.addEventListener('click', e=>{ e.preventDefault(); closeModal(); }); })(); </script>Geode’s cryptographic subsystem provides: <ul> <li>Confidentiality: AES-256-GCM and ChaCha20-Poly1305 for data encryption</li> <li>Integrity: HMAC-SHA256 and Poly1305 for data integrity verification</li> <li>Authentication: Ed25519 and ECDSA for digital signatures</li> <li>Password Security: Argon2id for password hashing</li> <li>Key Exchange: X25519 and ECDHE for secure key agreement</li> <li>Random Generation: Cryptographically secure random number generation</li> </ul> <h3 id="symmetric-encryption" class="position-relative d-flex align-items-center group"> Symmetric Encryption <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="symmetric-encryption" aria-haspopup="dialog" aria-label="Share link: Symmetric Encryption"> Share link </button> </h3> <h4 id="aes-256-gcm" class="position-relative d-flex align-items-center group"> AES-256-GCM <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="aes-256-gcm" aria-haspopup="dialog" aria-label="Share link: AES-256-GCM"> Share link </button> </h4>Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode is the primary encryption algorithm for data at rest: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback">Algorithm: AES-256-GCM Key Size: 256 bits Block Size: 128 bits Mode: Galois/Counter Mode (authenticated encryption) Nonce Size: 96 bits (12 bytes) Tag Size: 128 bits (16 bytes) </code></pre></div>Characteristics: <ul> <li>Authenticated encryption (AEAD) - provides confidentiality and integrity</li> <li>Hardware acceleration via AES-NI on modern CPUs</li> <li>Parallel encryption/decryption for high performance</li> <li>Standard for NIST, PCI DSS, and HIPAA compliance</li> </ul> Usage in Geode: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># geode.yaml encryption: algorithm: aes-256-gcm key_derivation: hkdf-sha256 nonce_generation: random </code></pre></div>Performance Characteristics: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3">Benchmark (Intel Xeon with AES-NI): Encryption: 4.2 GB/s Decryption: 4.5 GB/s Overhead: ~3-5% for typical workloads </code></pre></div> <h4 id="chacha20-poly1305" class="position-relative d-flex align-items-center group"> ChaCha20-Poly1305 <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="chacha20-poly1305" aria-haspopup="dialog" aria-label="Share link: ChaCha20-Poly1305"> Share link </button> </h4>Alternative authenticated encryption algorithm, preferred on systems without AES hardware acceleration: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback">Algorithm: ChaCha20-Poly1305 Key Size: 256 bits Nonce Size: 96 bits (12 bytes) Tag Size: 128 bits (16 bytes) </code></pre></div>Characteristics: <ul> <li>Software-optimized, fast on all platforms</li> <li>Constant-time implementation (resistant to timing attacks)</li> <li>Used by TLS 1.3 and WireGuard</li> <li>Excellent for mobile and ARM devices</li> </ul> Configuration: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># geode.yaml encryption: algorithm: chacha20-poly1305 # Preferred for ARM/mobile or when AES-NI unavailable </code></pre></div> <h4 id="encryption-key-hierarchy" class="position-relative d-flex align-items-center group"> Encryption Key Hierarchy <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="encryption-key-hierarchy" aria-haspopup="dialog" aria-label="Share link: Encryption Key Hierarchy"> Share link </button> </h4>Geode uses a hierarchical key structure: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback">Master Key (stored in HSM/KMS) | +-- Key Encryption Key (KEK) 1 | | | +-- Data Encryption Key (DEK) for Graph Data | +-- Data Encryption Key (DEK) for Indexes | +-- Key Encryption Key (KEK) 2 | +-- Data Encryption Key (DEK) for Transaction Logs +-- Data Encryption Key (DEK) for Backups </code></pre></div>Key Derivation: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># geode.yaml key_derivation: function: hkdf-sha256 salt_size: 256 # bits info: "geode-dek-v1" # Key rotation rotation: master_key: 90d kek: 180d dek: 365d </code></pre></div> <h3 id="asymmetric-cryptography" class="position-relative d-flex align-items-center group"> Asymmetric Cryptography <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="asymmetric-cryptography" aria-haspopup="dialog" aria-label="Share link: Asymmetric Cryptography"> Share link </button> </h3> <h4 id="ed25519-digital-signatures" class="position-relative d-flex align-items-center group"> Ed25519 Digital Signatures <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="ed25519-digital-signatures" aria-haspopup="dialog" aria-label="Share link: Ed25519 Digital Signatures"> Share link </button> </h4>Edwards-curve Digital Signature Algorithm for authentication and integrity: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback">Algorithm: Ed25519 Key Size: 256 bits (32 bytes) Signature Size: 512 bits (64 bytes) Security Level: ~128 bits </code></pre></div>Characteristics: <ul> <li>Fast signature generation and verification</li> <li>Deterministic signatures (no random nonce needed)</li> <li>Small keys and signatures</li> <li>Resistant to timing attacks</li> </ul> Usage in Geode: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># geode.yaml signatures: algorithm: ed25519 # Sign audit logs audit_log_signing: true # Sign backups backup_signing: true # Sign cluster communication cluster_signing: true </code></pre></div>Code Example (Key Generation): <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Generate Ed25519 key pair geode keygen --algorithm=ed25519 \ --output=/etc/geode/keys/signing.key \ --public-output=/etc/geode/keys/signing.pub </code></pre></div> <h4 id="ecdsa-signatures" class="position-relative d-flex align-items-center group"> ECDSA Signatures <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="ecdsa-signatures" aria-haspopup="dialog" aria-label="Share link: ECDSA Signatures"> Share link </button> </h4>Elliptic Curve Digital Signature Algorithm for TLS certificates: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback">Curve: P-256 (secp256r1) or P-384 (secp384r1) Key Size: 256 or 384 bits Signature Size: ~64 or 96 bytes </code></pre></div>Certificate Configuration: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># geode.yaml tls: certificate: algorithm: ecdsa curve: p-384 # or p-256 </code></pre></div> <h4 id="x25519-key-exchange" class="position-relative d-flex align-items-center group"> X25519 Key Exchange <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="x25519-key-exchange" aria-haspopup="dialog" aria-label="Share link: X25519 Key Exchange"> Share link </button> </h4>Elliptic Curve Diffie-Hellman for secure key agreement: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback">Algorithm: X25519 (Curve25519) Key Size: 256 bits Shared Secret: 256 bits Security Level: ~128 bits </code></pre></div>Usage in TLS 1.3: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># geode.yaml tls: key_exchange: algorithms: - x25519 - secp384r1 # fallback </code></pre></div> <h3 id="hashing-functions" class="position-relative d-flex align-items-center group"> Hashing Functions <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="hashing-functions" aria-haspopup="dialog" aria-label="Share link: Hashing Functions"> Share link </button> </h3> <h4 id="sha-256-and-sha-384" class="position-relative d-flex align-items-center group"> SHA-256 and SHA-384 <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="sha-256-and-sha-384" aria-haspopup="dialog" aria-label="Share link: SHA-256 and SHA-384"> Share link </button> </h4>Secure Hash Algorithm for data integrity: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback">SHA-256: Output Size: 256 bits (32 bytes) Block Size: 512 bits Use: General integrity checking SHA-384: Output Size: 384 bits (48 bytes) Block Size: 1024 bits Use: Higher security requirements </code></pre></div>Usage: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># geode.yaml integrity: algorithm: sha-256 # or sha-384 # Hash data pages page_checksums: true # Hash transaction logs transaction_log_hashing: true </code></pre></div> <h4 id="blake3" class="position-relative d-flex align-items-center group"> BLAKE3 <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="blake3" aria-haspopup="dialog" aria-label="Share link: BLAKE3"> Share link </button> </h4>Modern, high-performance cryptographic hash: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback">Algorithm: BLAKE3 Output Size: Variable (default 256 bits) Speed: 4x faster than SHA-256 Security Level: 128 bits </code></pre></div>Configuration: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># geode.yaml integrity: algorithm: blake3 # Recommended for high-throughput scenarios </code></pre></div> <h3 id="password-hashing" class="position-relative d-flex align-items-center group"> Password Hashing <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="password-hashing" aria-haspopup="dialog" aria-label="Share link: Password Hashing"> Share link </button> </h3> <h4 id="argon2id" class="position-relative d-flex align-items-center group"> Argon2id <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="argon2id" aria-haspopup="dialog" aria-label="Share link: Argon2id"> Share link </button> </h4>Memory-hard password hashing function (winner of Password Hashing Competition): <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback">Algorithm: Argon2id (hybrid of Argon2i and Argon2d) Output Size: Variable (recommended 256 bits) Parameters: - Time Cost: Number of iterations - Memory Cost: Memory usage in KB - Parallelism: Number of threads </code></pre></div>Geode Default Configuration: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># geode.yaml auth: password_hashing: algorithm: argon2id time_cost: 3 memory_cost: 65536 # 64 MB parallelism: 4 hash_length: 32 # bytes </code></pre></div>Security Considerations: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># High-security configuration auth: password_hashing: algorithm: argon2id time_cost: 4 # More iterations memory_cost: 131072 # 128 MB parallelism: 8 # Target: ~500ms hash time on server hardware </code></pre></div> <h4 id="password-hash-verification" class="position-relative d-flex align-items-center group"> Password Hash Verification <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="password-hash-verification" aria-haspopup="dialog" aria-label="Share link: Password Hash Verification"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql">-- Verify password (internal implementation) -- Constant-time comparison prevents timing attacks -- Rate limiting prevents brute force attacks </code></pre></div> <h3 id="message-authentication" class="position-relative d-flex align-items-center group"> Message Authentication <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="message-authentication" aria-haspopup="dialog" aria-label="Share link: Message Authentication"> Share link </button> </h3> <h4 id="hmac-sha256" class="position-relative d-flex align-items-center group"> HMAC-SHA256 <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="hmac-sha256" aria-haspopup="dialog" aria-label="Share link: HMAC-SHA256"> Share link </button> </h4>Hash-based Message Authentication Code for integrity and authenticity: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback">Algorithm: HMAC-SHA256 Key Size: 256 bits Tag Size: 256 bits </code></pre></div>Usage: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># geode.yaml authentication: # HMAC for API tokens token_algorithm: hmac-sha256 # HMAC for session cookies session_algorithm: hmac-sha256 </code></pre></div> <h4 id="poly1305" class="position-relative d-flex align-items-center group"> Poly1305 <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="poly1305" aria-haspopup="dialog" aria-label="Share link: Poly1305"> Share link </button> </h4>One-time authenticator, used with ChaCha20: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback">Algorithm: Poly1305 Key Size: 256 bits Tag Size: 128 bits </code></pre></div>Note: Poly1305 keys must never be reused. Geode automatically manages key uniqueness. <h3 id="random-number-generation" class="position-relative d-flex align-items-center group"> Random Number Generation <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="random-number-generation" aria-haspopup="dialog" aria-label="Share link: Random Number Generation"> Share link </button> </h3> <h4 id="cryptographically-secure-prng" class="position-relative d-flex align-items-center group"> Cryptographically Secure PRNG <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="cryptographically-secure-prng" aria-haspopup="dialog" aria-label="Share link: Cryptographically Secure PRNG"> Share link </button> </h4>Geode uses system-provided CSPRNGs: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback">Linux: /dev/urandom (getrandom syscall) macOS: SecRandomCopyBytes Windows: BCryptGenRandom Entropy Sources: - Hardware random (RDRAND/RDSEED) - Timing jitter - System events - Network traffic patterns </code></pre></div>Configuration: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># geode.yaml random: source: system # Uses OS CSPRNG hardware_rng: prefer # Use hardware RNG when available # Entropy health monitoring entropy_check: true min_entropy_bits: 256 </code></pre></div> <h4 id="nonce-generation" class="position-relative d-flex align-items-center group"> Nonce Generation <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="nonce-generation" aria-haspopup="dialog" aria-label="Share link: Nonce Generation"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># geode.yaml encryption: nonce: generation: random # or counter-based size: 96 # bits (12 bytes for AES-GCM) # Counter-based for high-volume encryption # counter: # initial: random # increment: 1 </code></pre></div> <h3 id="key-management" class="position-relative d-flex align-items-center group"> Key Management <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="key-management" aria-haspopup="dialog" aria-label="Share link: Key Management"> Share link </button> </h3> <h4 id="key-generation" class="position-relative d-flex align-items-center group"> Key Generation <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="key-generation" aria-haspopup="dialog" aria-label="Share link: Key Generation"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Generate encryption key geode keygen --algorithm=aes-256 \ --output=/etc/geode/keys/master.key \ --format=raw # Generate with passphrase protection geode keygen --algorithm=aes-256 \ --output=/etc/geode/keys/master.key \ --protect-with-passphrase \ --kdf=argon2id </code></pre></div> <h4 id="key-storage-options" class="position-relative d-flex align-items-center group"> Key Storage Options <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="key-storage-options" aria-haspopup="dialog" aria-label="Share link: Key Storage Options"> Share link </button> </h4>File-Based (Development): <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">encryption: key_source: file key_file: /etc/geode/keys/master.key key_file_permissions: 0400 </code></pre></div>Environment Variable: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">encryption: key_source: env key_env_var: GEODE_MASTER_KEY key_encoding: base64 </code></pre></div>Hardware Security Module (HSM): <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">encryption: key_source: hsm hsm: provider: pkcs11 library: /usr/lib/softhsm/libsofthsm2.so slot: 0 pin_file: /etc/geode/hsm-pin.txt key_label: geode-master-key </code></pre></div>Cloud KMS: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">encryption: key_source: aws-kms aws_kms: key_id: arn:aws:kms:us-east-1:123456789012:key/abc123 region: us-east-1 # Or Google Cloud KMS encryption: key_source: gcp-kms gcp_kms: key_name: projects/PROJECT/locations/LOCATION/keyRings/RING/cryptoKeys/KEY # Or Azure Key Vault encryption: key_source: azure-keyvault azure_keyvault: vault_name: geode-keys key_name: master-key </code></pre></div> <h4 id="key-rotation" class="position-relative d-flex align-items-center group"> Key Rotation <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="key-rotation" aria-haspopup="dialog" aria-label="Share link: Key Rotation"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Rotate master key geode key-rotate --key-type=master \ --new-key-source=hsm \ --grace-period=24h # Rotate data encryption keys geode key-rotate --key-type=dek \ --background=true \ --throttle=50mbps # Check rotation status geode key-rotate --status </code></pre></div> <h4 id="key-derivation" class="position-relative d-flex align-items-center group"> Key Derivation <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="key-derivation" aria-haspopup="dialog" aria-label="Share link: Key Derivation"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># geode.yaml key_derivation: # HKDF for deriving multiple keys from master function: hkdf hash: sha-256 # Domain separation contexts: data: "geode-data-encryption-v1" index: "geode-index-encryption-v1" log: "geode-log-encryption-v1" backup: "geode-backup-encryption-v1" </code></pre></div> <h3 id="cryptographic-modes" class="position-relative d-flex align-items-center group"> Cryptographic Modes <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="cryptographic-modes" aria-haspopup="dialog" aria-label="Share link: Cryptographic Modes"> Share link </button> </h3> <h4 id="transparent-data-encryption-tde" class="position-relative d-flex align-items-center group"> Transparent Data Encryption (TDE) <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="transparent-data-encryption-tde" aria-haspopup="dialog" aria-label="Share link: Transparent Data Encryption (TDE)"> Share link </button> </h4>Automatic encryption/decryption of data at storage layer: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># geode.yaml tde: enabled: true algorithm: aes-256-gcm # What to encrypt encrypt: data_files: true index_files: true transaction_logs: true temporary_files: true # Performance tuning cache_decrypted_pages: true cache_size: 1GB </code></pre></div> <h4 id="field-level-encryption-fle" class="position-relative d-flex align-items-center group"> Field-Level Encryption (FLE) <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="field-level-encryption-fle" aria-haspopup="dialog" aria-label="Share link: Field-Level Encryption (FLE)"> Share link </button> </h4>Client-side encryption of specific fields: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql">-- Encrypt sensitive fields INSERT (:Person { name: 'Alice Smith', email: 'alice@example.com', ssn: encrypt($ssn, 'pii-key', 'aes-256-gcm'), salary: encrypt($salary, 'financial-key', 'aes-256-gcm') }); -- Decrypt when needed (requires key access) MATCH (p:Person {email: 'alice@example.com'}) RETURN p.name, decrypt(p.ssn, 'pii-key') AS ssn; </code></pre></div>Encryption Modes: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql">-- Deterministic encryption (allows equality comparison) encrypt_deterministic($value, $key) -- Randomized encryption (maximum security) encrypt_random($value, $key) -- Searchable encryption (allows pattern matching) encrypt_searchable($value, $key) </code></pre></div> <h3 id="fips-140-2-compliance" class="position-relative d-flex align-items-center group"> FIPS 140-2 Compliance <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="fips-140-2-compliance" aria-haspopup="dialog" aria-label="Share link: FIPS 140-2 Compliance"> Share link </button> </h3>For organizations requiring FIPS 140-2 validated cryptography: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># geode.yaml fips: enabled: true mode: 140-2 # or 140-3 # Use FIPS-validated crypto library crypto_library: openssl-fips # Restrict to FIPS-approved algorithms algorithms: encryption: - aes-256-gcm - aes-256-cbc hashing: - sha-256 - sha-384 - sha-512 signatures: - ecdsa-p256 - ecdsa-p384 - rsa-2048 </code></pre></div>FIPS-Approved Algorithms in Geode: <table> <thead> <tr> <th>Category</th> <th>Algorithm</th> <th>FIPS Status</th> </tr> </thead> <tbody> <tr> <td>Symmetric</td> <td>AES-256-GCM</td> <td>Approved</td> </tr> <tr> <td>Symmetric</td> <td>ChaCha20-Poly1305</td> <td>Not FIPS</td> </tr> <tr> <td>Hash</td> <td>SHA-256/384/512</td> <td>Approved</td> </tr> <tr> <td>Hash</td> <td>BLAKE3</td> <td>Not FIPS</td> </tr> <tr> <td>Signature</td> <td>ECDSA (P-256/P-384)</td> <td>Approved</td> </tr> <tr> <td>Signature</td> <td>Ed25519</td> <td>Not FIPS</td> </tr> <tr> <td>Key Exchange</td> <td>ECDH (P-256/P-384)</td> <td>Approved</td> </tr> <tr> <td>Key Exchange</td> <td>X25519</td> <td>Not FIPS</td> </tr> <tr> <td>Password</td> <td>PBKDF2-HMAC-SHA256</td> <td>Approved</td> </tr> <tr> <td>Password</td> <td>Argon2id</td> <td>Not FIPS</td> </tr> </tbody> </table> <h3 id="post-quantum-considerations" class="position-relative d-flex align-items-center group"> Post-Quantum Considerations <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="post-quantum-considerations" aria-haspopup="dialog" aria-label="Share link: Post-Quantum Considerations"> Share link </button> </h3>Geode is preparing for post-quantum cryptography: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># geode.yaml (experimental) post_quantum: enabled: false # Not yet production-ready algorithms: key_encapsulation: kyber-1024 signature: dilithium-3 # Hybrid mode (classical + post-quantum) hybrid_mode: true </code></pre></div>Timeline: Full post-quantum support planned for 2027 following NIST standardization. <h3 id="performance-optimization" class="position-relative d-flex align-items-center group"> Performance Optimization <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="performance-optimization" aria-haspopup="dialog" aria-label="Share link: Performance Optimization"> Share link </button> </h3> <h4 id="hardware-acceleration" class="position-relative d-flex align-items-center group"> Hardware Acceleration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="hardware-acceleration" aria-haspopup="dialog" aria-label="Share link: Hardware Acceleration"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Check available hardware acceleration geode crypto-check # Output: # Hardware Acceleration Status: # AES-NI: Available # AVX2: Available # AVX-512: Available # SHA Extensions: Available # RDRAND: Available # RDSEED: Available # Estimated performance: 4.2 GB/s encryption </code></pre></div> <h4 id="tuning-configuration" class="position-relative d-flex align-items-center group"> Tuning Configuration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="tuning-configuration" aria-haspopup="dialog" aria-label="Share link: Tuning Configuration"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># geode.yaml crypto: # Use hardware acceleration hardware_acceleration: true # Parallel encryption threads threads: 4 # Batch size for encryption operations batch_size: 4MB # Cache encrypted pages encryption_cache: enabled: true size: 1GB </code></pre></div> <h4 id="benchmarking" class="position-relative d-flex align-items-center group"> Benchmarking <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="benchmarking" aria-haspopup="dialog" aria-label="Share link: Benchmarking"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Benchmark cryptographic operations geode crypto-benchmark # Output: # Encryption Benchmarks: # AES-256-GCM (1KB): 2.1M ops/sec # AES-256-GCM (1MB): 4.2 GB/sec # ChaCha20-Poly1305: 3.8 GB/sec # # Hashing Benchmarks: # SHA-256: 5.1 GB/sec # BLAKE3: 12.4 GB/sec # # Signature Benchmarks: # Ed25519 sign: 55,000 ops/sec # Ed25519 verify: 18,000 ops/sec </code></pre></div> <h3 id="security-best-practices" class="position-relative d-flex align-items-center group"> Security Best Practices <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="security-best-practices" aria-haspopup="dialog" aria-label="Share link: Security Best Practices"> Share link </button> </h3> <h4 id="1-use-authenticated-encryption" class="position-relative d-flex align-items-center group"> 1. Use Authenticated Encryption <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="1-use-authenticated-encryption" aria-haspopup="dialog" aria-label="Share link: 1. Use Authenticated Encryption"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># Always use AEAD modes encryption: algorithm: aes-256-gcm # Not aes-256-cbc # GCM provides confidentiality AND integrity </code></pre></div> <h4 id="2-protect-keys-appropriately" class="position-relative d-flex align-items-center group"> 2. Protect Keys Appropriately <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="2-protect-keys-appropriately" aria-haspopup="dialog" aria-label="Share link: 2. Protect Keys Appropriately"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># Production: Use HSM or KMS encryption: key_source: hsm # Not file # Never store keys in code or version control </code></pre></div> <h4 id="3-rotate-keys-regularly" class="position-relative d-flex align-items-center group"> 3. Rotate Keys Regularly <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="3-rotate-keys-regularly" aria-haspopup="dialog" aria-label="Share link: 3. Rotate Keys Regularly"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">key_rotation: master_key: 90d encryption_keys: 365d session_keys: 24h </code></pre></div> <h4 id="4-use-strong-random-numbers" class="position-relative d-flex align-items-center group"> 4. Use Strong Random Numbers <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="4-use-strong-random-numbers" aria-haspopup="dialog" aria-label="Share link: 4. Use Strong Random Numbers"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">random: source: system hardware_rng: require # Fail if unavailable </code></pre></div> <h4 id="5-implement-key-separation" class="position-relative d-flex align-items-center group"> 5. Implement Key Separation <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="5-implement-key-separation" aria-haspopup="dialog" aria-label="Share link: 5. Implement Key Separation"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"># Different keys for different purposes keys: data_encryption: key1 backup_encryption: key2 audit_signing: key3 </code></pre></div> <h3 id="troubleshooting" class="position-relative d-flex align-items-center group"> Troubleshooting <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="troubleshooting" aria-haspopup="dialog" aria-label="Share link: Troubleshooting"> Share link </button> </h3> <h4 id="verifying-cryptographic-configuration" class="position-relative d-flex align-items-center group"> Verifying Cryptographic Configuration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="verifying-cryptographic-configuration" aria-haspopup="dialog" aria-label="Share link: Verifying Cryptographic Configuration"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Check crypto status geode crypto-status # Verify encryption is working geode crypto-test # Check key availability geode key-verify --key-source=hsm </code></pre></div> <h4 id="common-issues" class="position-relative d-flex align-items-center group"> Common Issues <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="common-issues" aria-haspopup="dialog" aria-label="Share link: Common Issues"> Share link </button> </h4>Slow Encryption: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Check if hardware acceleration is available geode crypto-check # If AES-NI not available, consider ChaCha20-Poly1305 </code></pre></div>Key Access Failures: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Verify HSM connectivity geode hsm-test --provider=pkcs11 # Check key permissions geode key-verify --verbose </code></pre></div> <h3 id="related-topics" class="position-relative d-flex align-items-center group"> Related Topics <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="related-topics" aria-haspopup="dialog" aria-label="Share link: Related Topics"> Share link </button> </h3><ul> <li><a href="/tags/encryption/" >Encryption</a> - Data encryption configuration</li> <li><a href="/tags/tls/" >TLS</a> - Transport layer security</li> <li><a href="/tags/security/" >Security</a> - Security overview</li> <li><a href="/tags/compliance/" >Compliance</a> - Regulatory requirements</li> <li><a href="/tags/key-management/" >Key Management</a> - Key lifecycle management</li> <li><a href="/tags/post-quantum/" >Post-Quantum</a> - Future-proof cryptography</li> </ul> <h3 id="further-reading" class="position-relative d-flex align-items-center group"> Further Reading <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="further-reading" aria-haspopup="dialog" aria-label="Share link: Further Reading"> Share link </button> </h3><ul> <li><a href="/docs/architecture/security-architecture/" >Security Architecture</a> - Security design</li> <li><a href="/docs/security/overview/" >Security Overview</a> - Encryption configuration</li> <li><a href="/docs/security/field-level-encryption/" >Field-Level Encryption</a> - FLE implementation</li> <li>Cryptographic Whitepaper - Detailed algorithm specifications</li> </ul>

Popular

Related Articles

Post-Quantum Readiness & Cryptography