<!-- CANARY: REQ=REQ-DOCS-001; FEATURE="Docs"; ASPECT=Documentation; STATUS=TESTED; OWNER=docs; UPDATED=2026-01-15 -->
<p>Geode provides enterprise-grade encryption for protecting sensitive graph data both at rest and in transit. This comprehensive encryption implementation uses industry-standard algorithms and follows cryptographic best practices to ensure data confidentiality, integrity, and compliance with security regulations.</p>
<h3 id="encryption-architecture" class="position-relative d-flex align-items-center group">
<span>Encryption Architecture</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="encryption-architecture"
aria-haspopup="dialog"
aria-label="Share link: Encryption Architecture">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><div id="headingShareModal" class="heading-share-modal" role="dialog" aria-modal="true" aria-labelledby="headingShareTitle" hidden>
<div class="hsm-dialog" role="document">
<div class="hsm-header">
<h2 id="headingShareTitle" class="h6 mb-0 fw-bold">Share this section</h2>
<button type="button" class="hsm-close" aria-label="Close">
<i class="fa-solid fa-xmark"></i>
</button>
</div>
<div class="hsm-body">
<label for="headingShareInput" class="form-label small text-muted mb-1 text-uppercase fw-bold" style="font-size: 0.7rem; letter-spacing: 0.5px;">Permalink</label>
<div class="input-group mb-4 hsm-url-group">
<input id="headingShareInput" type="text" class="form-control font-monospace" readonly aria-readonly="true" style="font-size: 0.85rem;" />
<button class="btn btn-primary hsm-copy" type="button" aria-label="Copy" title="Copy">
<i class="fa-duotone fa-clipboard" aria-hidden="true"></i>
</button>
</div>
<div class="small fw-bold mb-2 text-muted text-uppercase" style="font-size: 0.7rem; letter-spacing: 0.5px;">Share via</div>
<div class="hsm-share-grid">
<a id="share-twitter" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-twitter me-2"></i>Twitter
</a>
<a id="share-linkedin" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-linkedin me-2"></i>LinkedIn
</a>
<a id="share-facebook" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer">
<i class="fa-brands fa-facebook me-2"></i>Facebook
</a>
</div>
</div>
</div>
</div>
<style>
.heading-share-modal {
position: fixed;
inset: 0;
display: flex;
justify-content: center;
align-items: center;
background: rgba(0, 0, 0, 0.6);
z-index: 1050;
padding: 1rem;
backdrop-filter: blur(4px);
-webkit-backdrop-filter: blur(4px);
}
.heading-share-modal[hidden] { display: none !important; }
.hsm-dialog {
max-width: 420px;
width: 100%;
background: var(--bs-body-bg, #fff);
color: var(--bs-body-color, #212529);
border: 1px solid var(--bs-border-color, rgba(0,0,0,0.1));
border-radius: 1rem;
box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25);
overflow: hidden;
animation: hsm-fade-in 0.2s ease-out;
}
@keyframes hsm-fade-in {
from { opacity: 0; transform: scale(0.95); }
to { opacity: 1; transform: scale(1); }
}
[data-bs-theme="dark"] .hsm-dialog {
background: #1e293b;
border-color: rgba(255,255,255,0.1);
color: #f8f9fa;
}
.hsm-header {
display: flex;
justify-content: space-between;
align-items: center;
padding: 1rem 1.5rem;
border-bottom: 1px solid var(--bs-border-color, rgba(0,0,0,0.1));
background: rgba(0,0,0,0.02);
}
[data-bs-theme="dark"] .hsm-header {
background: rgba(255,255,255,0.02);
border-color: rgba(255,255,255,0.1);
}
.hsm-close {
background: transparent;
border: none;
color: inherit;
opacity: 0.5;
padding: 0.25rem 0.5rem;
border-radius: 0.25rem;
font-size: 1.2rem;
line-height: 1;
transition: opacity 0.2s;
}
.hsm-close:hover {
opacity: 1;
}
.hsm-body {
padding: 1.5rem;
}
.hsm-url-group {
display: flex !important;
align-items: stretch;
}
.hsm-url-group .form-control {
flex: 1;
min-width: 0;
margin: 0;
background: var(--bs-secondary-bg, #f8f9fa);
border-color: var(--bs-border-color, #dee2e6);
border-top-right-radius: 0;
border-bottom-right-radius: 0;
height: 42px;
}
.hsm-url-group .btn {
flex: 0 0 auto;
margin: 0;
margin-left: -1px;
border-top-left-radius: 0;
border-bottom-left-radius: 0;
height: 42px;
display: flex;
align-items: center;
justify-content: center;
padding: 0 1.25rem;
z-index: 2;
}
[data-bs-theme="dark"] .hsm-url-group .form-control {
background: #0f172a;
border-color: #334155;
color: #e2e8f0;
}
.hsm-share-grid {
display: flex;
flex-direction: column;
gap: 0.5rem;
}
.hsm-share-grid .btn {
display: flex;
align-items: center;
justify-content: center;
font-size: 0.9rem;
padding: 0.6rem;
border-color: var(--bs-border-color);
width: 100%;
}
[data-bs-theme="dark"] .hsm-share-grid .btn {
color: #e2e8f0;
border-color: #475569;
}
[data-bs-theme="dark"] .hsm-share-grid .btn:hover {
background: #334155;
border-color: #cbd5e1;
}
</style>
<script>
(function(){
const modal = document.getElementById('headingShareModal');
if(!modal) return;
const input = modal.querySelector('#headingShareInput');
const copyBtn = modal.querySelector('.hsm-copy');
const twitter = modal.querySelector('#share-twitter');
const linkedin = modal.querySelector('#share-linkedin');
const facebook = modal.querySelector('#share-facebook');
const closeBtn = modal.querySelector('.hsm-close');
let lastFocus=null;
let trapBound=false;
function buildUrl(id){ return window.location.origin + window.location.pathname + '#' + id; }
function isOpen(){ return !modal.hasAttribute('hidden'); }
function hydrate(id){
const url=buildUrl(id);
input.value=url;
const enc=encodeURIComponent(url);
const text=encodeURIComponent(document.title);
if(twitter) twitter.href=`https://twitter.com/intent/tweet?url=${enc}&text=${text}`;
if(linkedin) linkedin.href=`https://www.linkedin.com/sharing/share-offsite/?url=${enc}`;
if(facebook) facebook.href=`https://www.facebook.com/sharer/sharer.php?u=${enc}`;
}
function openModal(id){
lastFocus=document.activeElement;
hydrate(id);
if(!isOpen()){
modal.removeAttribute('hidden');
}
requestAnimationFrame(()=>{ input.focus(); });
trapFocus();
}
function closeModal(){
if(!isOpen()) return;
modal.setAttribute('hidden','');
if(lastFocus && typeof lastFocus.focus==='function') lastFocus.focus();
}
function copyCurrent(){
try{ navigator.clipboard.writeText(input.value).then(()=>feedback(true),()=>fallback()); }
catch(e){ fallback(); }
}
function fallback(){ input.select(); try{ document.execCommand('copy'); feedback(true);}catch(e){ feedback(false);} }
function feedback(ok){ if(!copyBtn) return; const icon=copyBtn.querySelector('i'); if(!icon) return; const prev=copyBtn.getAttribute('data-prev')||icon.className; if(!copyBtn.getAttribute('data-prev')) copyBtn.setAttribute('data-prev',prev); icon.className= ok ? 'fa-duotone fa-clipboard-check':'fa-duotone fa-circle-exclamation'; setTimeout(()=>{ icon.className=prev; },1800); }
function handleShareClick(e){ e.preventDefault(); const btn=e.currentTarget; const id=btn.getAttribute('data-share-target'); if(id) openModal(id); }
function bindShareButtons(){
document.querySelectorAll('.h-share').forEach(btn=>{
if(!btn.dataset.hShareBound){ btn.addEventListener('click', handleShareClick); btn.dataset.hShareBound='1'; }
});
}
bindShareButtons();
if(document.readyState==='loading'){
document.addEventListener('DOMContentLoaded', bindShareButtons);
} else {
requestAnimationFrame(bindShareButtons);
}
document.addEventListener('click', function(e){
const shareBtn=e.target.closest && e.target.closest('.h-share');
if(shareBtn && !shareBtn.dataset.hShareBound){ handleShareClick.call(shareBtn, e); }
}, true);
document.addEventListener('click', e=>{
if(e.target===modal) closeModal();
if(e.target.closest && e.target.closest('.hsm-close')){ e.preventDefault(); closeModal(); }
if(copyBtn && (e.target===copyBtn || (e.target.closest && e.target.closest('.hsm-copy')))) { e.preventDefault(); copyCurrent(); }
});
document.addEventListener('keydown', e=>{ if(e.key==='Escape' && isOpen()) closeModal(); });
function trapFocus(){
if(trapBound) return;
trapBound=true;
modal.addEventListener('keydown', f=>{ if(f.key==='Tab' && isOpen()){ const focusable=[...modal.querySelectorAll('a[href],button,input,textarea,select,[tabindex]:not([tabindex="-1"])')].filter(el=>!el.hasAttribute('disabled')); if(!focusable.length) return; const first=focusable[0]; const last=focusable[focusable.length-1]; if(f.shiftKey && document.activeElement===first){ f.preventDefault(); last.focus(); } else if(!f.shiftKey && document.activeElement===last){ f.preventDefault(); first.focus(); } } });
}
if(closeBtn) closeBtn.addEventListener('click', e=>{ e.preventDefault(); closeModal(); });
})();
</script><p>Geode implements a multi-layered encryption architecture:</p>
<ul>
<li><strong>Encryption at Rest</strong>: All data files encrypted with AES-256-GCM</li>
<li><strong>Encryption in Transit</strong>: TLS 1.3 for all network communications</li>
<li><strong>Key Management</strong>: Hierarchical key structure with master keys, data encryption keys, and key encryption keys</li>
<li><strong>Memory Protection</strong>: Sensitive data encrypted in memory when possible</li>
<li><strong>Audit Log Encryption</strong>: Optional encryption of audit logs</li>
<li><strong>Backup Encryption</strong>: Encrypted backups with independent keys</li>
</ul>
<h3 id="encryption-at-rest" class="position-relative d-flex align-items-center group">
<span>Encryption at Rest</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="encryption-at-rest"
aria-haspopup="dialog"
aria-label="Share link: Encryption at Rest">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>All data stored by Geode is encrypted using AES-256 in Galois/Counter Mode (GCM), providing both confidentiality and authenticity. This includes:</p>
<ul>
<li>Graph data (nodes and relationships)</li>
<li>Property values</li>
<li>Indexes</li>
<li>Transaction logs</li>
<li>Metadata</li>
<li>System catalogs</li>
</ul>
<h4 id="enabling-encryption-at-rest" class="position-relative d-flex align-items-center group">
<span>Enabling Encryption at Rest</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="enabling-encryption-at-rest"
aria-haspopup="dialog"
aria-label="Share link: Enabling Encryption at Rest">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Enable encryption at rest with default settings</span>
</span></span><span class="line"><span class="cl">geode serve --encryption-at-rest<span class="o">=</span>enabled <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --encryption-algorithm<span class="o">=</span>aes-256-gcm
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Use custom encryption key file</span>
</span></span><span class="line"><span class="cl">geode serve --encryption-at-rest<span class="o">=</span>enabled <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --encryption-key-file<span class="o">=</span>/etc/geode/keys/master.key
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Generate a new master key</span>
</span></span><span class="line"><span class="cl">geode keygen --algorithm<span class="o">=</span>aes-256 <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --output<span class="o">=</span>/etc/geode/keys/master.key <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --protect-with-passphrase
</span></span></code></pre></div>
<h4 id="key-storage-options" class="position-relative d-flex align-items-center group">
<span>Key Storage Options</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="key-storage-options"
aria-haspopup="dialog"
aria-label="Share link: Key Storage Options">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Geode supports multiple key storage backends:</p>
<p><strong>File-based (Development)</strong></p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Store keys in protected file</span>
</span></span><span class="line"><span class="cl">geode serve --encryption-key-file<span class="o">=</span>/etc/geode/keys/master.key <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --key-file-permissions<span class="o">=</span><span class="m">0400</span>
</span></span></code></pre></div><p><strong>Environment Variable (Container Deployments)</strong></p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Pass key via environment variable</span>
</span></span><span class="line"><span class="cl"><span class="nb">export</span> <span class="nv">GEODE_MASTER_KEY</span><span class="o">=</span><span class="s2">"base64-encoded-key-here"</span>
</span></span><span class="line"><span class="cl">geode serve --encryption-key-source<span class="o">=</span>env:GEODE_MASTER_KEY
</span></span></code></pre></div><p><strong>Hardware Security Module (Production)</strong></p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Use HSM for key storage</span>
</span></span><span class="line"><span class="cl">geode serve --encryption-key-source<span class="o">=</span>hsm <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --hsm-provider<span class="o">=</span>pkcs11 <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --hsm-library<span class="o">=</span>/usr/lib/softhsm/libsofthsm2.so <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --hsm-slot<span class="o">=</span><span class="m">0</span> <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --hsm-pin-file<span class="o">=</span>/etc/geode/hsm-pin.txt
</span></span></code></pre></div><p><strong>Cloud Key Management Service</strong></p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># AWS KMS</span>
</span></span><span class="line"><span class="cl">geode serve --encryption-key-source<span class="o">=</span>aws-kms <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --kms-key-id<span class="o">=</span>arn:aws:kms:us-east-1:123456789012:key/abc123
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Google Cloud KMS</span>
</span></span><span class="line"><span class="cl">geode serve --encryption-key-source<span class="o">=</span>gcp-kms <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --kms-key-name<span class="o">=</span>projects/PROJECT/locations/LOCATION/keyRings/RING/cryptoKeys/KEY
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Azure Key Vault</span>
</span></span><span class="line"><span class="cl">geode serve --encryption-key-source<span class="o">=</span>azure-keyvault <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --keyvault-name<span class="o">=</span>mygeodekeys <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --keyvault-key-name<span class="o">=</span>master-key
</span></span></code></pre></div>
<h4 id="key-hierarchy" class="position-relative d-flex align-items-center group">
<span>Key Hierarchy</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="key-hierarchy"
aria-haspopup="dialog"
aria-label="Share link: Key Hierarchy">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Geode uses a hierarchical key structure for security and performance:</p>
<ol>
<li><strong>Master Key (MK)</strong>: Root of the key hierarchy, stored in HSM or KMS</li>
<li><strong>Key Encryption Keys (KEK)</strong>: Encrypted by master key, used to encrypt data encryption keys</li>
<li><strong>Data Encryption Keys (DEK)</strong>: Encrypted by KEK, used to encrypt actual data</li>
</ol>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Master Key (HSM/KMS)
</span></span><span class="line"><span class="cl"> |
</span></span><span class="line"><span class="cl"> +-- Key Encryption Key 1
</span></span><span class="line"><span class="cl"> | |
</span></span><span class="line"><span class="cl"> | +-- Data Encryption Key 1 (Graph Data)
</span></span><span class="line"><span class="cl"> | +-- Data Encryption Key 2 (Indexes)
</span></span><span class="line"><span class="cl"> |
</span></span><span class="line"><span class="cl"> +-- Key Encryption Key 2
</span></span><span class="line"><span class="cl"> |
</span></span><span class="line"><span class="cl"> +-- Data Encryption Key 3 (Transaction Logs)
</span></span><span class="line"><span class="cl"> +-- Data Encryption Key 4 (Backups)
</span></span></code></pre></div><p>This hierarchy provides:</p>
<ul>
<li><strong>Key Rotation</strong>: Rotate master key without re-encrypting all data</li>
<li><strong>Performance</strong>: Data encryption keys cached in memory</li>
<li><strong>Isolation</strong>: Different data types use different keys</li>
<li><strong>Recovery</strong>: Separate keys for backups and operational data</li>
</ul>
<h4 id="key-rotation" class="position-relative d-flex align-items-center group">
<span>Key Rotation</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="key-rotation"
aria-haspopup="dialog"
aria-label="Share link: Key Rotation">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Regular key rotation is essential for security:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Rotate master key (KEKs re-encrypted, DEKs unchanged)</span>
</span></span><span class="line"><span class="cl">geode key-rotate --key-type<span class="o">=</span>master <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --new-key-source<span class="o">=</span>hsm <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --old-key-file<span class="o">=</span>/etc/geode/keys/old-master.key
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Rotate data encryption keys (data re-encrypted in background)</span>
</span></span><span class="line"><span class="cl">geode key-rotate --key-type<span class="o">=</span>data <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --background<span class="o">=</span><span class="nb">true</span> <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --throttle<span class="o">=</span>50mbps
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Check key rotation progress</span>
</span></span><span class="line"><span class="cl">geode key-rotate --status
</span></span><span class="line"><span class="cl"><span class="c1"># Output: 45% complete, 1.2 TB of 2.7 TB re-encrypted</span>
</span></span></code></pre></div><p>Configure automatic key rotation:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Rotate master key quarterly, data keys annually</span>
</span></span><span class="line"><span class="cl">geode serve --key-rotation-schedule<span class="o">=</span>master:90d,data:365d <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --key-rotation-window<span class="o">=</span>02:00-06:00
</span></span></code></pre></div>
<h3 id="encryption-in-transit" class="position-relative d-flex align-items-center group">
<span>Encryption in Transit</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="encryption-in-transit"
aria-haspopup="dialog"
aria-label="Share link: Encryption in Transit">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>All network communications are encrypted using TLS 1.3 with strong cipher suites. Geode’s QUIC transport provides encryption by default.</p>
<h4 id="tls-configuration" class="position-relative d-flex align-items-center group">
<span>TLS Configuration</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="tls-configuration"
aria-haspopup="dialog"
aria-label="Share link: TLS Configuration">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Basic TLS configuration</span>
</span></span><span class="line"><span class="cl">geode serve --tls-cert<span class="o">=</span>/etc/geode/certs/server.crt <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --tls-key<span class="o">=</span>/etc/geode/certs/server.key <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --tls-ca<span class="o">=</span>/etc/geode/certs/ca.crt
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Enforce TLS 1.3 only</span>
</span></span><span class="line"><span class="cl">geode serve --tls-min-version<span class="o">=</span>1.3 <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --tls-max-version<span class="o">=</span>1.3
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Specify allowed cipher suites</span>
</span></span><span class="line"><span class="cl">geode serve --tls-cipher-suites<span class="o">=</span>TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256
</span></span></code></pre></div>
<h4 id="client-certificate-authentication" class="position-relative d-flex align-items-center group">
<span>Client Certificate Authentication</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="client-certificate-authentication"
aria-haspopup="dialog"
aria-label="Share link: Client Certificate Authentication">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Require clients to present valid certificates:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Enable mutual TLS (mTLS)</span>
</span></span><span class="line"><span class="cl">geode serve --require-client-certificates<span class="o">=</span><span class="nb">true</span> <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --client-ca<span class="o">=</span>/etc/geode/certs/client-ca.crt <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --verify-client-certificates<span class="o">=</span><span class="nb">true</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Allow specific client certificates only</span>
</span></span><span class="line"><span class="cl">geode serve --client-cert-allowlist<span class="o">=</span>/etc/geode/allowed-clients.txt
</span></span></code></pre></div>
<h4 id="certificate-management" class="position-relative d-flex align-items-center group">
<span>Certificate Management</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="certificate-management"
aria-haspopup="dialog"
aria-label="Share link: Certificate Management">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Generate and manage TLS certificates:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Generate self-signed certificate for development</span>
</span></span><span class="line"><span class="cl">geode cert-gen --output-dir<span class="o">=</span>/etc/geode/certs <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --common-name<span class="o">=</span>geode.example.com <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --san<span class="o">=</span>DNS:geode.example.com,DNS:localhost,IP:127.0.0.1
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Generate certificate signing request for production</span>
</span></span><span class="line"><span class="cl">geode cert-gen --csr-only <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --output<span class="o">=</span>/etc/geode/certs/geode.csr <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --common-name<span class="o">=</span>geode.production.example.com
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Certificate rotation</span>
</span></span><span class="line"><span class="cl">geode cert-rotate --new-cert<span class="o">=</span>/etc/geode/certs/new-cert.crt <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --new-key<span class="o">=</span>/etc/geode/certs/new-key.key <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --graceful<span class="o">=</span><span class="nb">true</span> <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --overlap-duration<span class="o">=</span>24h
</span></span></code></pre></div>
<h4 id="perfect-forward-secrecy" class="position-relative d-flex align-items-center group">
<span>Perfect Forward Secrecy</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="perfect-forward-secrecy"
aria-haspopup="dialog"
aria-label="Share link: Perfect Forward Secrecy">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p>Geode enforces perfect forward secrecy (PFS) to protect past communications:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># PFS is enabled by default with ECDHE key exchange</span>
</span></span><span class="line"><span class="cl">geode serve --tls-require-pfs<span class="o">=</span><span class="nb">true</span> <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --tls-key-exchange<span class="o">=</span>ecdhe-secp256r1
</span></span></code></pre></div>
<h3 id="field-level-encryption" class="position-relative d-flex align-items-center group">
<span>Field-Level Encryption</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="field-level-encryption"
aria-haspopup="dialog"
aria-label="Share link: Field-Level Encryption">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>Encrypt specific fields within the graph for additional security:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Encrypt</span><span class="w"> </span><span class="py">sensitive</span><span class="w"> </span><span class="py">fields</span><span class="w"> </span><span class="py">before</span><span class="w"> </span><span class="py">storing</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">INSERT</span><span class="w"> </span><span class="p">(:</span><span class="nc">Person</span><span class="w"> </span><span class="p">{</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">name</span><span class="p">:</span><span class="w"> </span><span class="err">'</span><span class="nc">Alice</span><span class="w"> </span><span class="py">Smith</span><span class="err">'</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">email</span><span class="p">:</span><span class="w"> </span><span class="err">'</span><span class="nc">alice</span><span class="nd">@example</span><span class="err">.</span><span class="py">com</span><span class="err">'</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">ssn</span><span class="p">:</span><span class="w"> </span><span class="nc">encrypt</span><span class="p">(</span><span class="err">'</span><span class="py">123</span><span class="err">-</span><span class="py">45</span><span class="err">-</span><span class="py">6789</span><span class="err">'</span><span class="p">,</span><span class="w"> </span><span class="err">'</span><span class="py">ssn</span><span class="err">-</span><span class="py">encryption</span><span class="err">-</span><span class="py">key</span><span class="err">'</span><span class="p">),</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">salary</span><span class="p">:</span><span class="w"> </span><span class="nc">encrypt</span><span class="p">(</span><span class="err">'</span><span class="py">95000</span><span class="err">'</span><span class="p">,</span><span class="w"> </span><span class="err">'</span><span class="py">salary</span><span class="err">-</span><span class="py">encryption</span><span class="err">-</span><span class="py">key</span><span class="err">'</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">})</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Decrypt</span><span class="w"> </span><span class="kd">on</span><span class="w"> </span><span class="py">retrieval</span><span class="w"> </span><span class="p">(</span><span class="py">requires</span><span class="w"> </span><span class="py">permission</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">p</span><span class="p">:</span><span class="nc">Person</span><span class="w"> </span><span class="p">{</span><span class="py">email</span><span class="p">:</span><span class="w"> </span><span class="err">'</span><span class="nc">alice</span><span class="nd">@example</span><span class="err">.</span><span class="py">com</span><span class="err">'</span><span class="p">})</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">p</span><span class="err">.</span><span class="py">name</span><span class="p">,</span><span class="w"> </span><span class="py">decrypt</span><span class="p">(</span><span class="py">p</span><span class="err">.</span><span class="py">ssn</span><span class="p">,</span><span class="w"> </span><span class="err">'</span><span class="py">ssn</span><span class="err">-</span><span class="py">encryption</span><span class="err">-</span><span class="py">key</span><span class="err">'</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">ssn</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h4 id="deterministic-vs-randomized-encryption" class="position-relative d-flex align-items-center group">
<span>Deterministic vs Randomized Encryption</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="deterministic-vs-randomized-encryption"
aria-haspopup="dialog"
aria-label="Share link: Deterministic vs Randomized Encryption">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><p><strong>Deterministic Encryption</strong>: Same plaintext always produces same ciphertext, allowing equality searches:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Store</span><span class="w"> </span><span class="py">with</span><span class="w"> </span><span class="py">deterministic</span><span class="w"> </span><span class="py">encryption</span><span class="w"> </span><span class="py">for</span><span class="w"> </span><span class="py">searchability</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">INSERT</span><span class="w"> </span><span class="p">(:</span><span class="nc">Account</span><span class="w"> </span><span class="p">{</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">account_number</span><span class="p">:</span><span class="w"> </span><span class="nc">encrypt_deterministic</span><span class="p">(</span><span class="nv">$account_num</span><span class="p">,</span><span class="w"> </span><span class="err">'</span><span class="py">account</span><span class="err">-</span><span class="py">key</span><span class="err">'</span><span class="p">),</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">balance</span><span class="p">:</span><span class="w"> </span><span class="nc">encrypt_random</span><span class="p">(</span><span class="nv">$balance</span><span class="p">,</span><span class="w"> </span><span class="err">'</span><span class="py">balance</span><span class="err">-</span><span class="py">key</span><span class="err">'</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">})</span><span class="err">;</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">--</span><span class="w"> </span><span class="py">Can</span><span class="w"> </span><span class="py">search</span><span class="w"> </span><span class="py">deterministically</span><span class="w"> </span><span class="py">encrypted</span><span class="w"> </span><span class="py">fields</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">MATCH</span><span class="w"> </span><span class="p">(</span><span class="py">a</span><span class="p">:</span><span class="nc">Account</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">WHERE</span><span class="w"> </span><span class="py">a</span><span class="err">.</span><span class="py">account_number</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="py">encrypt_deterministic</span><span class="p">(</span><span class="err">'</span><span class="py">1234567890</span><span class="err">'</span><span class="p">,</span><span class="w"> </span><span class="err">'</span><span class="py">account</span><span class="err">-</span><span class="py">key</span><span class="err">'</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">RETURN</span><span class="w"> </span><span class="py">decrypt_random</span><span class="p">(</span><span class="py">a</span><span class="err">.</span><span class="py">balance</span><span class="p">,</span><span class="w"> </span><span class="err">'</span><span class="py">balance</span><span class="err">-</span><span class="py">key</span><span class="err">'</span><span class="p">)</span><span class="w"> </span><span class="py">AS</span><span class="w"> </span><span class="py">balance</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div><p><strong>Randomized Encryption</strong>: Same plaintext produces different ciphertext each time, maximum security:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql"><span class="line"><span class="cl"><span class="err">--</span><span class="w"> </span><span class="py">Maximum</span><span class="w"> </span><span class="py">security</span><span class="p">,</span><span class="w"> </span><span class="py">no</span><span class="w"> </span><span class="py">searchability</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="py">INSERT</span><span class="w"> </span><span class="p">(:</span><span class="nc">MedicalRecord</span><span class="w"> </span><span class="p">{</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">patient_id</span><span class="p">:</span><span class="w"> </span><span class="nv">$patient_id</span><span class="p">,</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nc">diagnosis</span><span class="p">:</span><span class="w"> </span><span class="nc">encrypt_random</span><span class="p">(</span><span class="nv">$diagnosis</span><span class="p">,</span><span class="w"> </span><span class="err">'</span><span class="py">medical</span><span class="err">-</span><span class="py">key</span><span class="err">'</span><span class="p">),</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="py">notes</span><span class="p">:</span><span class="w"> </span><span class="nc">encrypt_random</span><span class="p">(</span><span class="nv">$notes</span><span class="p">,</span><span class="w"> </span><span class="err">'</span><span class="py">medical</span><span class="err">-</span><span class="py">key</span><span class="err">'</span><span class="p">)</span><span class="w">
</span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">})</span><span class="err">;</span><span class="w">
</span></span></span></code></pre></div>
<h3 id="transparent-data-encryption" class="position-relative d-flex align-items-center group">
<span>Transparent Data Encryption</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="transparent-data-encryption"
aria-haspopup="dialog"
aria-label="Share link: Transparent Data Encryption">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>Enable transparent data encryption (TDE) for automatic encryption of all data:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Enable TDE - all data automatically encrypted/decrypted</span>
</span></span><span class="line"><span class="cl">geode serve --transparent-encryption<span class="o">=</span>enabled <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --encryption-key-source<span class="o">=</span>hsm <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --encryption-algorithm<span class="o">=</span>aes-256-gcm
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Applications don't need to change - encryption is transparent</span>
</span></span><span class="line"><span class="cl"><span class="c1"># All data encrypted at storage layer automatically</span>
</span></span></code></pre></div><p>With TDE enabled:</p>
<ul>
<li>No application code changes required</li>
<li>All queries work normally</li>
<li>Encryption/decryption handled automatically</li>
<li>Performance impact: typically 5-10% for read/write operations</li>
</ul>
<h3 id="backup-encryption" class="position-relative d-flex align-items-center group">
<span>Backup Encryption</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="backup-encryption"
aria-haspopup="dialog"
aria-label="Share link: Backup Encryption">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>Backups are encrypted separately from operational data:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Create encrypted backup</span>
</span></span><span class="line"><span class="cl">geode backup create --encryption<span class="o">=</span>enabled <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --encryption-key-source<span class="o">=</span>file:/etc/geode/keys/backup.key <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --output<span class="o">=</span>/backups/geode-2026-01-24.backup
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Create backup with separate encryption key</span>
</span></span><span class="line"><span class="cl">geode backup create --encryption<span class="o">=</span>enabled <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --encryption-key-source<span class="o">=</span>aws-kms <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --kms-key-id<span class="o">=</span>arn:aws:kms:us-east-1:123456789012:key/backup-key <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --output<span class="o">=</span>s3://my-backups/geode-backup.enc
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Restore from encrypted backup</span>
</span></span><span class="line"><span class="cl">geode backup restore --input<span class="o">=</span>/backups/geode-2026-01-24.backup <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --encryption-key-source<span class="o">=</span>file:/etc/geode/keys/backup.key
</span></span></code></pre></div>
<h3 id="audit-log-encryption" class="position-relative d-flex align-items-center group">
<span>Audit Log Encryption</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="audit-log-encryption"
aria-haspopup="dialog"
aria-label="Share link: Audit Log Encryption">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>Protect audit logs from unauthorized access:</p>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Encrypt audit logs</span>
</span></span><span class="line"><span class="cl">geode serve --audit-log-encryption<span class="o">=</span>enabled <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --audit-log-encryption-key<span class="o">=</span>/etc/geode/keys/audit.key <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --audit-log-signing<span class="o">=</span><span class="nb">true</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Decrypt audit logs for analysis</span>
</span></span><span class="line"><span class="cl">geode audit-log decrypt --input<span class="o">=</span>/var/log/geode/audit.log.enc <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --key<span class="o">=</span>/etc/geode/keys/audit.key <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --output<span class="o">=</span>/tmp/audit.log
</span></span></code></pre></div>
<h3 id="encryption-performance" class="position-relative d-flex align-items-center group">
<span>Encryption Performance</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="encryption-performance"
aria-haspopup="dialog"
aria-label="Share link: Encryption Performance">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>Encryption has minimal performance impact due to hardware acceleration:</p>
<h4 id="hardware-acceleration" class="position-relative d-flex align-items-center group">
<span>Hardware Acceleration</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="hardware-acceleration"
aria-haspopup="dialog"
aria-label="Share link: Hardware Acceleration">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Check for AES-NI support (Intel/AMD)</span>
</span></span><span class="line"><span class="cl">geode check-crypto-accel
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Output:</span>
</span></span><span class="line"><span class="cl"><span class="c1"># AES-NI: Available</span>
</span></span><span class="line"><span class="cl"><span class="c1"># AVX2: Available</span>
</span></span><span class="line"><span class="cl"><span class="c1"># SHA Extensions: Available</span>
</span></span><span class="line"><span class="cl"><span class="c1"># Estimated encryption overhead: 3-5%</span>
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Use hardware acceleration</span>
</span></span><span class="line"><span class="cl">geode serve --use-crypto-acceleration<span class="o">=</span><span class="nb">true</span> <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --prefer-aes-ni<span class="o">=</span><span class="nb">true</span>
</span></span></code></pre></div>
<h4 id="performance-optimization" class="position-relative d-flex align-items-center group">
<span>Performance Optimization</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="performance-optimization"
aria-haspopup="dialog"
aria-label="Share link: Performance Optimization">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Tune encryption performance</span>
</span></span><span class="line"><span class="cl">geode serve --encryption-cache-size<span class="o">=</span>1GB <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --encryption-parallel-threads<span class="o">=</span><span class="m">4</span> <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --encryption-batch-size<span class="o">=</span>4MB
</span></span></code></pre></div><p>Typical performance impact:</p>
<ul>
<li>Encryption at rest: 3-7% throughput reduction</li>
<li>Encryption in transit: 1-3% throughput reduction with TLS 1.3</li>
<li>Field-level encryption: 10-15% for encrypted fields only</li>
<li>Transparent encryption: 5-10% overall system throughput</li>
</ul>
<h3 id="compliance-and-standards" class="position-relative d-flex align-items-center group">
<span>Compliance and Standards</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="compliance-and-standards"
aria-haspopup="dialog"
aria-label="Share link: Compliance and Standards">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><p>Geode’s encryption meets requirements for:</p>
<ul>
<li><strong>FIPS 140-2</strong>: Use FIPS-validated cryptographic modules</li>
<li><strong>PCI DSS</strong>: Strong cryptography for payment data</li>
<li><strong>HIPAA</strong>: Encryption of electronic protected health information</li>
<li><strong>GDPR</strong>: State-of-the-art encryption for personal data</li>
</ul>
<div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Enable FIPS mode for compliance</span>
</span></span><span class="line"><span class="cl">geode serve --fips-mode<span class="o">=</span>enabled <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --crypto-library<span class="o">=</span>fips-validated <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --enforce-fips-algorithms<span class="o">=</span><span class="nb">true</span>
</span></span></code></pre></div>
<h3 id="key-management-best-practices" class="position-relative d-flex align-items-center group">
<span>Key Management Best Practices</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="key-management-best-practices"
aria-haspopup="dialog"
aria-label="Share link: Key Management Best Practices">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><ol>
<li><strong>Never Store Keys in Code</strong>: Use environment variables, HSM, or KMS</li>
<li><strong>Rotate Keys Regularly</strong>: Master keys quarterly, data keys annually</li>
<li><strong>Separate Key Responsibilities</strong>: Different keys for different purposes</li>
<li><strong>Backup Keys Securely</strong>: Store backup keys separately from backups</li>
<li><strong>Monitor Key Access</strong>: Log all key access and rotation events</li>
<li><strong>Use HSM for Production</strong>: Hardware security modules for master keys</li>
<li><strong>Test Recovery</strong>: Regularly test key recovery procedures</li>
<li><strong>Document Procedures</strong>: Maintain clear documentation for key management</li>
<li><strong>Principle of Least Privilege</strong>: Limit key access to necessary personnel only</li>
<li><strong>Key Destruction</strong>: Securely destroy old keys after rotation</li>
</ol>
<h3 id="troubleshooting" class="position-relative d-flex align-items-center group">
<span>Troubleshooting</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="troubleshooting"
aria-haspopup="dialog"
aria-label="Share link: Troubleshooting">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3>
<h4 id="decryption-failures" class="position-relative d-flex align-items-center group">
<span>Decryption Failures</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="decryption-failures"
aria-haspopup="dialog"
aria-label="Share link: Decryption Failures">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Check encryption status</span>
</span></span><span class="line"><span class="cl">geode encryption-status
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Verify key availability</span>
</span></span><span class="line"><span class="cl">geode key-verify --key-source<span class="o">=</span>hsm
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Test decryption</span>
</span></span><span class="line"><span class="cl">geode test-decrypt --key-source<span class="o">=</span>file:/etc/geode/keys/master.key
</span></span></code></pre></div>
<h4 id="performance-issues" class="position-relative d-flex align-items-center group">
<span>Performance Issues</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="performance-issues"
aria-haspopup="dialog"
aria-label="Share link: Performance Issues">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Check if hardware acceleration is working</span>
</span></span><span class="line"><span class="cl">geode check-crypto-accel --verbose
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Profile encryption overhead</span>
</span></span><span class="line"><span class="cl">geode profile --component<span class="o">=</span>encryption <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --duration<span class="o">=</span>60s <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --output<span class="o">=</span>encryption-profile.json
</span></span></code></pre></div>
<h4 id="key-rotation-issues" class="position-relative d-flex align-items-center group">
<span>Key Rotation Issues</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="key-rotation-issues"
aria-haspopup="dialog"
aria-label="Share link: Key Rotation Issues">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Check rotation status</span>
</span></span><span class="line"><span class="cl">geode key-rotate --status --verbose
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Resume interrupted rotation</span>
</span></span><span class="line"><span class="cl">geode key-rotate --resume <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --rotation-id<span class="o">=</span>rot_abc123
</span></span><span class="line"><span class="cl">
</span></span><span class="line"><span class="cl"><span class="c1"># Roll back failed rotation</span>
</span></span><span class="line"><span class="cl">geode key-rotate --rollback <span class="se">\
</span></span></span><span class="line"><span class="cl"><span class="se"></span> --rotation-id<span class="o">=</span>rot_abc123
</span></span></code></pre></div>
<h3 id="related-topics" class="position-relative d-flex align-items-center group">
<span>Related Topics</span>
<button type="button"
class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1"
data-share-target="related-topics"
aria-haspopup="dialog"
aria-label="Share link: Related Topics">
<i class="fa-sharp-duotone fa-solid fa-share-nodes" aria-hidden="true" style="font-size: 0.8em;"></i>
<span class="visually-hidden">Share link</span>
</button>
</h3><ul>
<li><a
href="/tags/compliance/"
>Compliance</a>
- Regulatory compliance requirements</li>
<li><a
href="/tags/audit-logging/"
>Audit Logging</a>
- Comprehensive security audit trails</li>
<li><a
href="/tags/row-level-security/"
>Row-Level Security</a>
- Fine-grained access control</li>
<li><a
href="/tags/configuration/"
>Configuration</a>
- Security configuration best practices</li>
<li><a
href="/tags/connections/"
>Connections</a>
- Secure connection management</li>
<li><a
href="/docs/security/overview/"
>Security Overview</a>
- Security documentation</li>
<li><a
href="/docs/security/field-level-encryption/"
>Field-Level Encryption</a>
- Fine-grained encryption</li>
<li><a
href="/docs/security/kms-integration/"
>KMS Integration</a>
- Key management service integration</li>
</ul>
Related Articles
Security and Compliance Guide
Configure Geode authentication and policies, enable row-level security, use TDE/FLE with KMS integration, and deploy tamper-evident audit logging
Security
Enterprise security features including encryption, authentication, authorization, and compliance for Geode
Password Hashing with Argon2id
Enterprise-grade password hashing in Geode using Argon2id algorithm with OWASP-compliant parameters for secure credential storage and authentication.