Security Whitepaper

The Identity-Driven Cryptosystem.

We do not claim "Magic". We utilize a verifiable Transient Envelope Encryption model. Keys are managed strictly by cryptographic hardware and post-quantum algorithms, ensuring Zero Persistence of your secrets while enabling sub-second Kubernetes synchronization.

Cryptographic Primitives

DATA ENCRYPTION (DEK)

AES-256-GCM

The secret payload is encrypted Client-Side using AES-256 in Galois/Counter Mode (GCM). This ensures authenticated encryption prior to transmission.

INTERNAL KMS ALGORITHM

CRYSTALS-Kyber

Our Internal KMS uses Kyber-1024 (NIST Post-Quantum standard) for key encapsulation, protecting DEKs against harvest-now-decrypt-later attacks.

ROOT OF TRUST

Cloud KMS (HSM)

The master seeds for our Internal KMS are protected by Cloud HSMs (AWS KMS / Google Cloud KMS) with FIPS 140-2 Level 3 validation.

CLIENT IDENTITY

ECC (X25519)

Every client (Agent, Web UI, CLI) generates an ephemeral Curve25519 key pair to perform Elliptic-Curve Diffie-Hellman (ECDH) key agreement. Private keys never leave the device.

ENTERPRISE CONTROL

True BYOK Sovereignty

Enterprise customers can integrate their own AWS KMS or GCP Cloud KMS to handle Key Encapsulation directly. Instead of using our internal KMS, your Data Encryption Keys (DEKs) are protected exclusively by your cloud provider. This grants absolute sovereign control over the encryption lifecycle, allowing you to cryptographically revoke platform access with a single click.

TRANSPORT SECURITY

TLS 1.3 Only

We strictly enforce TLS 1.3 with HSTS. All data is encrypted in transit, securing the gRPC infrastructure streams and API connections.

Data Encryption Keys (DEKs) Isolation Policy

The Ennote Platform employs a Zero-Persistence architecture where Data Encryption Keys (DEKs) are encapsulated by a master Key Encryption Key (KEK). We call this Ephemeral Key Exposure.

During specific actions - specifically Access Requests or Master Key Rotation - the system performs an automated, transient re-wrapping operation. During this process, DEKs are briefly decapsulated in volatile memory (RAM) exclusively to be immediately re-wrapped using a derived session key for the target recipient (Human Workspace or K8s Agent).

To mathematically eliminate the risk of hypervisor compromise or memory scraping, our backend execution environment runs exclusively on Confidential Nodes powered by Intel TDX. In-use data is encrypted at the hardware level, meaning each node receives a unique, processor-managed key that removes the cloud provider entirely from the trust boundary.

Hardware Enclaves
Execution occurs within Intel TDX Confidential Nodes. In-use RAM is encrypted at the silicon processor level.
Transient Processing
Plaintext keys exist only in hardware-encrypted volatile memory for the duration of the cryptographic operation (milliseconds).
No Persistence
At no point are plaintext DEKs written to disk, logs, databases, or persistent storage layers.

The Lifecycle of a Secret

ENCRYPTION FLOW
CLIENTPlain DataDEKEncrypted DataKey CapsuleENNOTE CLOUDSTORAGE
  • 1
    Ephemeral Key Generation Client generates a random 256-bit DEK. This key exists only in RAM and is never written to disk.
  • 2
    Encapsulation (KEM) Data is encrypted with the DEK. The DEK is then encapsulated using the KMS Public Key (Kyber) into a secure Key Capsule.
  • 3
    Encrypted Storage We store the encrypted payload. The DEK is locked inside the Capsule, completely unreadable to the persistent storage layer.
DECRYPTION FLOW
INTERNAL KMSMaster KeyRE-WRAPPINGCapsule -> DEK ->-> ECDH WrapCLIENTECCWrapped KeyDATA
  • 1
    Identity Verification Client authenticates and sends its ephemeral X25519 Public Key to the KMS.
  • 2
    Atomic Re-Wrapping Inside the KMS enclave, the DEK is decapsulated in volatile RAM. The server performs ECDH with the Client's Public Key to derive a secure session key, wraps the DEK with it, and immediately flushes memory.
  • 3
    Client Decryption Client derives the identical shared session key using its private X25519 key, unwraps the DEK, and decrypts the secret data locally.

Infrastructure Hardening

  • Encryption at Rest

    All databases and backups are encrypted at the storage level. Physical theft of disks yields no unencrypted data.

  • Network Edge Defense

    We utilize a Web Application Firewall (WAF) to block volumetric attacks, XSS, and SQL injection at the edge before they hit the application layer.

  • Strict Access Control

    Ennote engineers possess zero access to customer data keys. All administrative actions require Hardware MFA and are permanently logged.

Compliance & Operations

Security isn't just cryptography; it's people, continuous monitoring, and strict operational processes.

Zero-Trust InfrastructureDesigned strictly against ISO 27001 & SOC 2 Access Criteria
Employee VettingBackground Checks & Hardware MFA Enforced
GDPR & CCPA ReadyPrivacy-First Architecture & DPAs

Vulnerability Disclosure

We offer Safe Harbor for good-faith security research. Please do not attempt DDoS or social engineering against our staff.

Report Issue security.txt

Security you don't have to build yourself.

Start managing secrets with hardware-backed, zero-persistence encryption today.

Start for Free Read Docs