Encryption
| Field | Value |
|---|---|
| Document ID | ASCEND-SEC-008 |
| Version | 1.0.0 |
| Last Updated | December 19, 2025 |
| Author | Ascend Engineering Team |
| Publisher | OW-KAI Technologies Inc. |
| Classification | Enterprise Client Documentation |
| Compliance | SOC 2 CC6.1/CC6.2, PCI-DSS 7.1/8.3, HIPAA 164.312, NIST 800-53 AC-2/SI-4 |
Reading Time: 8 minutes | Skill Level: Advanced
Overview
ASCEND implements comprehensive encryption for data at rest (AES-256) and in transit (TLS 1.3). Key management uses AWS KMS with automatic rotation and supports Bring Your Own Key (BYOK) for enterprise customers.
Encryption Architecture
+---------------------------------------------------------------------------------+
| ENCRYPTION ARCHITECTURE |
+---------------------------------------------------------------------------------+
| |
| DATA IN TRANSIT |
| +-------------------------------------------------------------------------+ |
| | | |
| | CLIENT <------ TLS 1.3 ------> ASCEND API | |
| | | |
| | - Perfect Forward Secrecy (PFS) | |
| | - Certificate pinning available | |
| | - HSTS enforced | |
| | - Minimum TLS 1.2 (1.3 preferred) | |
| | | |
| +-------------------------------------------------------------------------+ |
| |
| DATA AT REST |
| +-------------------------------------------------------------------------+ |
| | | |
| | DATABASE STORAGE | |
| | +---------------------------+ +---------------------------+ | |
| | | PostgreSQL RDS | | S3 Buckets | | |
| | | - AES-256-GCM | | - SSE-KMS | | |
| | | - KMS-managed keys | | - Bucket encryption | | |
| | | - Automatic rotation | | - Object-level keys | | |
| | +---------------------------+ +---------------------------+ | |
| | | |
| | FIELD-LEVEL ENCRYPTION | |
| | +---------------------------+ | |
| | | PII Fields | | |
| | | - API key hashes | | |
| | | - Sensitive parameters | | |
| | | - Personal identifiers | | |
| | +---------------------------+ | |
| | | |
| +-------------------------------------------------------------------------+ |
| |
+---------------------------------------------------------------------------------+
Data in Transit
TLS Configuration
# TLS 1.3 with strong ciphers
TLS_CONFIG = {
"min_version": "TLS 1.2",
"preferred_version": "TLS 1.3",
"ciphers": [
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_AES_128_GCM_SHA256"
],
"pfs_required": True
}
HSTS Headers
# Source: security/enterprise_security.py:615
SECURITY_HEADERS = {
"Strict-Transport-Security": "max-age=31536000; includeSubDomains"
}
Certificate Validation
# SDK validates server certificates
client = AscendClient(
api_key="owkai_...",
verify_ssl=True, # Always enabled in production
ca_bundle="/path/to/ca-bundle.crt" # Optional custom CA
)
Data at Rest
Database Encryption
# PostgreSQL RDS encryption configuration
RDS_ENCRYPTION = {
"storage_encrypted": True,
"kms_key_id": "arn:aws:kms:us-east-2:...",
"encryption_algorithm": "AES-256-GCM",
"key_rotation": True,
"rotation_period_days": 365
}
S3 Bucket Encryption
# S3 server-side encryption
S3_ENCRYPTION = {
"encryption_type": "SSE-KMS",
"kms_key_id": "arn:aws:kms:us-east-2:...",
"bucket_key_enabled": True
}
API Key Encryption
Hash-Based Storage
# Source: models_api_keys.py:23
class ApiKey(Base):
"""API keys are NEVER stored in plaintext."""
# Cryptographic storage
key_hash = Column(String(64)) # SHA-256 hash
salt = Column(String(32)) # Random salt per key
# Generation process:
# 1. Generate random key with 256-bit entropy
# 2. Generate random 128-bit salt
# 3. key_hash = SHA-256(key + salt)
# 4. Store only: key_hash, salt, prefix
Key Generation
# Source: routes/api_key_routes.py:144
def generate_cryptographic_key(role: str) -> tuple:
"""Generate cryptographically secure API key."""
# 256-bit entropy
raw_key = secrets.token_urlsafe(32)
# Role prefix
full_key = f"owkai_{role}_" + raw_key
# Generate salt and hash
salt = secrets.token_hex(16)
key_hash = hashlib.sha256((full_key + salt).encode()).hexdigest()
return full_key, key_prefix, key_hash, salt
Field-Level Encryption
Sensitive Fields
| Field | Encryption | Method |
|---|---|---|
| API key hash | SHA-256 | Hash with salt |
| User passwords | bcrypt | Hash with salt |
| PII fields | AES-256-GCM | Symmetric encryption |
| Secrets | KMS | Envelope encryption |
Envelope Encryption
# Envelope encryption for secrets
def encrypt_secret(plaintext: str, kms_key_id: str) -> dict:
"""Encrypt using envelope encryption."""
# 1. Generate data key from KMS
data_key = kms.generate_data_key(KeyId=kms_key_id)
# 2. Encrypt data with data key (AES-256-GCM)
ciphertext = aes_encrypt(plaintext, data_key.plaintext)
# 3. Return encrypted data key + ciphertext
return {
"encrypted_key": data_key.ciphertext_blob,
"ciphertext": ciphertext,
"algorithm": "AES-256-GCM"
}
Key Management
AWS KMS Integration
# KMS key configuration
KMS_CONFIG = {
"master_key_arn": "arn:aws:kms:us-east-2:...:key/...",
"key_rotation": True,
"rotation_period_days": 365,
"key_policy": {
"principals": ["arn:aws:iam::...:role/ascend-app"],
"actions": ["kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey"]
}
}
Key Rotation
# Automatic key rotation
{
"rotation_enabled": True,
"rotation_period_days": 365,
"retain_old_keys": True,
"old_key_retention_days": 90
}
Bring Your Own Key (BYOK)
Customer-Managed Keys
# Configure customer KMS key
curl -X POST "https://pilot.owkai.app/api/byok/configure" \
-H "Authorization: Bearer <admin_jwt>" \
-d '{
"kms_key_arn": "arn:aws:kms:us-east-2:CUSTOMER_ACCOUNT:key/...",
"description": "Customer-managed encryption key"
}'
BYOK Requirements
| Requirement | Description |
|---|---|
| Key Type | Symmetric (AES-256) |
| Key Usage | Encrypt/Decrypt |
| Cross-Account Access | Required for ASCEND access |
| Key Rotation | Customer-managed |
Cross-Account Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowASCENDAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ASCEND_ACCOUNT:role/ascend-app"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "*"
}
]
}
Compliance Mapping
| Standard | Requirement | Implementation |
|---|---|---|
| PCI-DSS 3.4 | Data at rest | AES-256 encryption |
| PCI-DSS 4.1 | Data in transit | TLS 1.3 |
| HIPAA 164.312(a)(2)(iv) | Encryption | AES-256 + KMS |
| SOC 2 CC6.7 | Data protection | Encryption controls |
| NIST SP 800-57 | Key management | KMS rotation |
Best Practices
1. Enforce TLS
# Always verify TLS in production
client = AscendClient(
api_key="owkai_...",
verify_ssl=True
)
2. Rotate Keys Regularly
# Enable automatic rotation
{
"key_rotation": True,
"rotation_period_days": 365
}
3. Use Field-Level Encryption for PII
# Encrypt sensitive fields
{
"encrypted_fields": ["ssn", "account_number", "date_of_birth"]
}
4. Monitor Key Usage
# Audit key access
{
"cloudtrail_logging": True,
"key_usage_metrics": True
}
Next Steps
- Data Protection — Data masking and tokenization
- Multi-Tenancy — Tenant isolation
- Audit Compliance — Encryption audit
Document Version: 1.0.0 | Last Updated: December 2025