Encryption
| Field | Value |
|---|---|
| Document ID | ASCEND-SEC-008 |
| Version | 2026.04 |
| Last Updated | April 2026 |
| Author | Ascend Engineering Team |
| Publisher | OW-KAI Technologies Inc. |
| Classification | Enterprise Client Documentation |
| Compliance | SOC 2 CC6.1/CC6.2, PCI-DSS 7.1/8.3, HIPAA 164.312, NIST 800-53 AC-2/SI-4 |
Reading Time: 8 minutes | Skill Level: Advanced
Overview
ASCEND implements comprehensive encryption for data at rest (AES-256) and in transit (TLS 1.3). Key management uses AWS KMS with automatic rotation and supports Bring Your Own Key (BYOK) for enterprise customers.
Fail-Secure Behavior
If a customer-managed KMS key is unavailable, revoked, or returns an error, ASCEND blocks all operations requiring that key. Data is never written or read without confirmed encryption. There is no plaintext fallback path.
Encryption Architecture
+---------------------------------------------------------------------------------+
| ENCRYPTION ARCHITECTURE |
+---------------------------------------------------------------------------------+
| |
| DATA IN TRANSIT |
| +-------------------------------------------------------------------------+ |
| | | |
| | CLIENT <------ TLS 1.3 ------> ASCEND API | |
| | | |
| | - Perfect Forward Secrecy (PFS) | |
| | - Certificate pinning available | |
| | - HSTS enforced | |
| | - Minimum TLS 1.2 (1.3 preferred) | |
| | | |
| +-------------------------------------------------------------------------+ |
| |
| DATA AT REST |
| +-------------------------------------------------------------------------+ |
| | | |
| | DATABASE STORAGE | |
| | +---------------------------+ +---------------------------+ | |
| | | PostgreSQL RDS | | S3 Buckets | | |
| | | - AES-256-GCM | | - SSE-KMS | | |
| | | - KMS-managed keys | | - Bucket encryption | | |
| | | - Automatic rotation | | - Object-level keys | | |
| | +---------------------------+ +---------------------------+ | |
| | | |
| | FIELD-LEVEL ENCRYPTION | |
| | +---------------------------+ | |
| | | PII Fields | | |
| | | - API key hashes | | |
| | | - Sensitive parameters | | |
| | | - Personal identifiers | | |
| | +---------------------------+ | |
| | | |
| +-------------------------------------------------------------------------+ |
| |
+---------------------------------------------------------------------------------+
Data in Transit
TLS Configuration
# TLS 1.3 with strong ciphers
TLS_CONFIG = {
"min_version": "TLS 1.2",
"preferred_version": "TLS 1.3",
"ciphers": [
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_AES_128_GCM_SHA256"
],
"pfs_required": True
}
HSTS Headers
# Source: security/enterprise_security.py:615
SECURITY_HEADERS = {
"Strict-Transport-Security": "max-age=31536000; includeSubDomains"
}
Certificate Validation
# SDK validates server certificates
client = AscendClient(
api_key="owkai_...",
verify_ssl=True, # Always enabled in production
ca_bundle="/path/to/ca-bundle.crt" # Optional custom CA
)
Data at Rest
Database Encryption
# PostgreSQL RDS encryption configuration
RDS_ENCRYPTION = {
"storage_encrypted": True,
"kms_key_id": "arn:aws:kms:us-east-2:...",
"encryption_algorithm": "AES-256-GCM",
"key_rotation": True,
"rotation_period_days": 365
}
S3 Bucket Encryption
# S3 server-side encryption
S3_ENCRYPTION = {
"encryption_type": "SSE-KMS",
"kms_key_id": "arn:aws:kms:us-east-2:...",
"bucket_key_enabled": True
}
API Key Encryption
Hash-Based Storage
# Source: models_api_keys.py:23
class ApiKey(Base):
"""API keys are NEVER stored in plaintext."""
# Cryptographic storage
key_hash = Column(String(64)) # SHA-256 hash
salt = Column(String(32)) # Random salt per key
# Generation process:
# 1. Generate random key with 256-bit entropy
# 2. Generate random 128-bit salt
# 3. key_hash = SHA-256(key + salt)
# 4. Store only: key_hash, salt, prefix
Key Generation
# Source: routes/api_key_routes.py:144
def generate_cryptographic_key(role: str) -> tuple:
"""Generate cryptographically secure API key."""
# 256-bit entropy
raw_key = secrets.token_urlsafe(32)
# Role prefix
full_key = f"owkai_{role}_" + raw_key
# Generate salt and hash
salt = secrets.token_hex(16)
key_hash = hashlib.sha256((full_key + salt).encode()).hexdigest()
return full_key, key_prefix, key_hash, salt
Field-Level Encryption
Sensitive Fields
| Field | Encryption | Method |
|---|---|---|
| API key hash | SHA-256 | Hash with salt |
| User passwords | bcrypt | Hash with salt |
| PII fields | AES-256-GCM | Symmetric encryption |
| Secrets | KMS | Envelope encryption |
Envelope Encryption
# Envelope encryption for secrets
def encrypt_secret(plaintext: str, kms_key_id: str) -> dict:
"""Encrypt using envelope encryption."""
# 1. Generate data key from KMS
data_key = kms.generate_data_key(KeyId=kms_key_id)
# 2. Encrypt data with data key (AES-256-GCM)
ciphertext = aes_encrypt(plaintext, data_key.plaintext)
# 3. Return encrypted data key + ciphertext
return {
"encrypted_key": data_key.ciphertext_blob,
"ciphertext": ciphertext,
"algorithm": "AES-256-GCM"
}
Key Management
AWS KMS Integration
# KMS key configuration
KMS_CONFIG = {
"master_key_arn": "arn:aws:kms:us-east-2:...:key/...",
"key_rotation": True,
"rotation_period_days": 365,
"key_policy": {
"principals": ["arn:aws:iam::...:role/ascend-app"],
"actions": ["kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey"]
}
}
Key Rotation
# Automatic key rotation
{
"rotation_enabled": True,
"rotation_period_days": 365,
"retain_old_keys": True,
"old_key_retention_days": 90
}
Bring Your Own Key (BYOK)
Customer-Managed Keys
# Configure customer KMS key
curl -X POST "https://pilot.owkai.app/api/byok/configure" \
-H "Authorization: Bearer <admin_jwt>" \
-d '{
"kms_key_arn": "arn:aws:kms:us-east-2:CUSTOMER_ACCOUNT:key/...",
"description": "Customer-managed encryption key"
}'
BYOK Requirements
| Requirement | Description |
|---|---|
| Key Type | Symmetric (AES-256) |
| Key Usage | Encrypt/Decrypt |
| Cross-Account Access | Required for ASCEND access |
| Key Rotation | Customer-managed |
Cross-Account Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowASCENDAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ASCEND_ACCOUNT:role/ascend-app"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "*"
}
]
}
Compliance Mapping
| Standard | Requirement | Implementation |
|---|---|---|
| PCI-DSS 3.4 | Data at rest | AES-256 encryption |
| PCI-DSS 4.1 | Data in transit | TLS 1.3 |
| HIPAA 164.312(a)(2)(iv) | Encryption | AES-256 + KMS |
| SOC 2 CC6.7 | Data protection | Encryption controls |
| NIST SP 800-57 | Key management | KMS rotation |
Best Practices
1. Enforce TLS
# Always verify TLS in production
client = AscendClient(
api_key="owkai_...",
verify_ssl=True
)
2. Rotate Keys Regularly
# Enable automatic rotation
{
"key_rotation": True,
"rotation_period_days": 365
}
3. Use Field-Level Encryption for PII
# Encrypt sensitive fields
{
"encrypted_fields": ["ssn", "account_number", "date_of_birth"]
}
4. Monitor Key Usage
# Audit key access
{
"cloudtrail_logging": True,
"key_usage_metrics": True
}
Next Steps
- Data Protection — Data masking and tokenization
- Multi-Tenancy — Tenant isolation
- Audit Compliance — Encryption audit
Document Version: 2026.04 | Last Updated: April 2026