AIIA implements encryption at multiple layers to protect audit data both at rest and in transit.
Data in Transit
| Protocol | Usage | Details |
|---|
| TLS 1.3 | All HTTP traffic | Frontend ↔ Backend, API calls |
| TLS 1.2+ | Keycloak SSO | OIDC token exchange |
| TLS | Database connections | PostgreSQL with SSL mode |
| TLS | Redis connections | Cache communication |
| HTTPS | MinIO storage | Object storage access |
Data at Rest
Database
- PostgreSQL supports Transparent Data Encryption (TDE) at the storage level
- Column-level encryption available for sensitive fields
API Keys (AI Models)
- API keys for AI providers are encrypted using AES-256-GCM
- Encryption key:
SECRET_ENCRYPTION_KEY environment variable
- Keys are never returned in full — displayed as
•••••{last4}
- Encryption happens server-side before database storage
Object Storage (MinIO)
- Server-Side Encryption (SSE) enabled
- Evidence files are encrypted at rest
- Bucket-level encryption policies
Evidence Files
- File hash (SHA-256) computed at upload time
- Hash stored with evidence metadata for integrity verification
- Chain-of-custody maintained (uploader, timestamps, hash)
Key Management
| Key | Purpose | Storage |
|---|
SECRET_ENCRYPTION_KEY | AI API key encryption | Environment variable |
JWT_SECRET | Session token signing | Environment variable |
| MinIO keys | Object storage auth | Environment variable |
| PostgreSQL SSL cert | Database connection | File system |
Security Best Practices
- Rotate
SECRET_ENCRYPTION_KEY periodically
- Use strong passwords (minimum 16 characters)
- Enable PostgreSQL SSL in production
- Use a secrets manager (HashiCorp Vault, AWS Secrets Manager) for production deployments
- Never store encryption keys in code or version control