Encryption Process

1. Key Generation: Encryption keys are derived from secure environment variables using SHA-256 hashing
2. Initialization Vector (IV): Each encryption operation uses a unique, randomly generated 16-byte IV
3. Authentication Tag: GCM mode provides built-in authentication to detect tampering
4. Storage Format: Encrypted data is stored in the format: IV:encryptedData:authTag

Key Management

1. Production Requirements: Production environments require a secure, hex-encoded 32-byte encryption key
2. Key Storage: Encryption keys are stored separately from encrypted data in secure environment variables
3. Key Rotation: Encryption keys can be rotated following secure procedures
4. Key Access: Encryption keys are only accessible to the application and are never exposed in logs or error messages

Sensitive Data Encryption

1. Algorithm: AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode)
2. What’s Encrypted: All sensitive credentials including:
AWS access keys and secret keys
GCP service account credentials
Azure client IDs and client secrets
GitHub/GitLab/Bitbucket access tokens
Docker Hub credentials
Wazuh API keys and passwords
Database passwords and authentication tokens