Encryption & Data Protection

Detailed explanation of how Torvus Security protects your data using industry-leading encryption.

---

Encryption Overview

Torvus Security uses military-grade encryption to protect your data at every stage:

Stage	Encryption Method	Key Length	Algorithm
Data at Rest	AES-256-GCM	256-bit	Symmetric
Data in Transit	TLS 1.3	256-bit	Asymmetric + Symmetric
End-to-End	Client-Side Encryption	256-bit	Symmetric
Backups	AES-256-GCM	256-bit	Symmetric

---

Data at Rest Encryption

Database Encryption

All data stored in PostgreSQL is encrypted at rest:

Encryption Details:

• Algorithm: AES-256-GCM (Galois/Counter Mode)
• Key Management: AWS KMS (Key Management Service)
• Scope: All tables, all columns
• Performance: Transparent encryption with minimal overhead

Encrypted Fields:

• User personal information (name, email, phone)
• Vault metadata (names, descriptions)
• Document metadata
• Recipient information
• Policy configurations
• Check-in history
• Audit logs

File Storage Encryption

Documents uploaded to vaults are encrypted before storage:

Encryption Process:

1. Client Upload: File transmitted over TLS 1.3
2. Server Reception: File received in memory (never written unencrypted)
3. Encryption: AES-256-GCM encryption applied
4. Storage: Encrypted file written to S3
5. Key Storage: Encryption key stored in KMS

Encryption Keys:

• Per-Vault Keys: Each vault has unique encryption key
• Key Derivation: PBKDF2 with 100,000 iterations
• Key Wrapping: Master key wraps vault keys
• Key Rotation: Automatic annual rotation

Backup Encryption

All backups are encrypted separately from production data:

Backup Security:

• Separate Keys: Backups use different encryption keys
• Automated Backups: Daily encrypted snapshots
• Retention: 30-day retention with encryption maintained
• Geographic Redundancy: Encrypted backups in multiple regions
• Point-in-Time Recovery: Encrypted incremental backups

---

Data in Transit Encryption

TLS 1.3 Configuration

All network communication uses the latest TLS protocol:

TLS Configuration:

• Protocol: TLS 1.3 (minimum TLS 1.2 for legacy clients)
• Cipher Suites:
  • TLS_AES_256_GCM_SHA384 (preferred)
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_GCM_SHA256
• Key Exchange: ECDHE (Elliptic Curve Diffie-Hellman Ephemeral)
• Perfect Forward Secrecy: Yes (ephemeral keys)

Security Features:

• Certificate Validation: Strict certificate verification
• HSTS: HTTP Strict Transport Security (max-age: 31536000)
• Certificate Pinning: Mobile apps pin TLS certificates
• OCSP Stapling: Online Certificate Status Protocol for revocation

HTTPS Everywhere

Web Application:

• All HTTP requests redirected to HTTPS (301)
• Secure cookies with Secure and HttpOnly flags
• SameSite cookie policy (Strict)
• Content Security Policy (CSP) enforced

API Endpoints:

• HTTPS required for all API calls
• API keys transmitted in Authorization header (never URL)
• Webhook deliveries over HTTPS only
• Client certificate authentication (optional for Enterprise)

WebSocket Security

Real-time features use encrypted WebSocket connections:

WSS Configuration:

• Protocol: WSS (WebSocket Secure) over TLS 1.3
• Authentication: JWT tokens for connection auth
• Message Encryption: Additional layer of encryption for sensitive messages
• Connection Limits: Per-user connection limits to prevent abuse

---

End-to-End Encryption

For maximum security, Torvus offers client-side encryption for vault contents:

How It Works

�������������
   User's    
   Device    
             
  1. Generate������
     Key           
                   
  2. Encrypt       
     File          
�������������      
                     Encrypted Key
  Encrypted           (RSA-4096)
     File            
                    
       �             �
�����������������������������
    Torvus Cloud Storage     
                             
  � Encrypted File          
  � Encrypted Key           
                             
  (Cannot be decrypted       
   without user's private    
   key)                      
�����������������������������
       
        On Release
       �
�������������
  Recipient  
             
  1. Receive 
     Package 
             
  2. Decrypt 
     with    
     Key     
�������������

Zero-Knowledge Architecture

Zero-Knowledge Principles:

• Client-Side Keys: Encryption keys generated on user's device
• No Server Access: Torvus servers cannot decrypt vault contents
• User Control: Only vault owner and recipients can decrypt
• Key Escrow: Optional key escrow for enterprise recovery

Trade-offs:

•  Maximum Security: Complete privacy from Torvus
•  Regulatory Compliance: Meets strictest data residency requirements
• L No Server-Side Search: Cannot search encrypted content
• L Key Management Burden: Users responsible for key backup

Availability:

• Free Plan: Server-side encryption only
• Pro Plan: Optional client-side encryption
• Business/Enterprise: Mandatory for regulated industries

---

Key Management

Key Hierarchy

Torvus uses a hierarchical key management system:

������������������������������������
      Master Encryption Key         
       (AWS KMS, HSM-backed)        
������������������������������������
              
               Encrypts
              �
������������������������������������
      Data Encryption Keys          
     (Per-Vault, Per-Document)      
������������������������������������
              
               Encrypts
              �
������������������������������������
         Actual Data                
    (Vaults, Documents, Metadata)   
������������������������������������

Key Generation

Cryptographically Secure Random Keys:

• Algorithm: Secure random number generator (CSPRNG)
• Entropy Source: Hardware RNG + OS entropy pool
• Key Length: 256-bit minimum
• Uniqueness: Each key unique, never reused

Key Derivation:

• Algorithm: PBKDF2-SHA256
• Iterations: 100,000 (adjustable based on hardware)
• Salt: Unique 256-bit salt per key
• Purpose: Derive encryption keys from user passwords

Key Storage

AWS Key Management Service (KMS):

• HSM-Backed: Keys stored in FIPS 140-2 Level 3 HSMs
• Access Control: IAM policies restrict key access
• Audit Logging: All key operations logged in CloudTrail
• Regional Isolation: Keys isolated per AWS region

Key Wrapping:

• Master key encrypts data encryption keys (DEKs)
• DEKs stored encrypted, never in plaintext
• Key unwrapping only in memory, ephemeral
• Automatic key wrapping for new DEKs

Key Rotation

Automatic Rotation:

• Frequency: Annual rotation for master keys
• Process:
  1. Generate new master key
  2. Re-encrypt all DEKs with new master key
  3. Retire old master key (retained for decryption of old data)
  4. Update key references in database

Manual Rotation:

• Triggered by security incidents
• Compliance requirements (e.g., employee departure)
• Vault owner request
• Suspected key compromise

Rotation Impact:

• Zero downtime during rotation
• Transparent to users
• Audit trail of all rotations
• Rollback capability in case of issues

Key Destruction

Secure Key Deletion:

• Scheduled Deletion: 30-day waiting period
• Cryptographic Erasure: Overwrite with random data
• Verification: Deletion verified and logged
• Recovery Window: 30-day recovery period before permanent deletion

When Keys Are Destroyed:

• Vault permanent deletion (after 30-day retention)
• User account deletion (after compliance retention period)
• Key rotation (old keys deleted after re-encryption)
• Explicit user request (with verification)

---

Data Protection Strategies

Data Classification

Torvus classifies data by sensitivity:

Classification	Examples	Encryption	Access Control
Public	Marketing materials, public docs	Standard TLS	Public access
Internal	User metadata, vault names	AES-256 + TLS	Authenticated users
Confidential	Vault contents, documents	AES-256 + TLS + E2EE	Vault owner + recipients
Restricted	Payment info, admin data	AES-256 + TLS + Tokenization	Strict RBAC

Data Minimization

Collection Principles:

• Collect only necessary data
• Anonymize where possible
• Pseudonymize personal identifiers
• Aggregate analytics data

Examples:

• L Store full credit card numbers
•  Store tokenized payment method
• L Log full document contents
•  Log document metadata only
• L Store plaintext passwords
•  Store bcrypt hashed passwords

Data Retention

Retention Policies:

Data Type	Retention Period	Reason
Active Vaults	Indefinite	User-controlled
Deleted Vaults	30 days	Accidental deletion recovery
Audit Logs	7 years	Compliance (SOC 2, GDPR)
Backup Snapshots	30 days	Disaster recovery
Failed Login Attempts	90 days	Security analysis
Webhook Delivery Logs	30 days	Debugging

Automated Deletion:

• Scheduled jobs delete data past retention
• Cryptographic erasure for secure deletion
• Audit trail of all deletions
• No retention beyond policy period

Data Anonymization

Anonymization Techniques:

• Hashing: One-way hash for identifiers (SHA-256)
• Masking: Partial masking for display (e.g., ****@example.com)
• Aggregation: Group data to prevent re-identification
• Differential Privacy: Add noise to statistical queries

Use Cases:

• Analytics and metrics (no PII)
• Error logging (masked sensitive data)
• Support tickets (anonymized user IDs)
• Research and development (synthetic data)

---

Compliance & Standards

Encryption Standards

NIST Compliance:

• FIPS 140-2: Cryptographic modules validated
• NIST SP 800-53: Security controls implemented
• NIST SP 800-57: Key management practices
• NIST SP 800-131A: Transitioning to stronger algorithms

Industry Standards:

• PCI DSS: For payment data encryption
• HIPAA: For healthcare data (planned)
• FedRAMP: For government use (planned)
• ISO/IEC 27001: Information security management

GDPR & Data Protection

GDPR Requirements:

• Encryption at Rest: Article 32 (Security of Processing)
• Encryption in Transit: Article 32
• Data Portability: Encrypted exports in standard formats
• Right to Erasure: Cryptographic deletion on request
• Data Breach Notification: 72-hour notification with encryption status

CCPA Requirements:

• Reasonable Security: Encryption as reasonable security measure
• Data Sale Opt-Out: Encrypted data not sold to third parties
• Consumer Rights: Encrypted data export on request

---

Encryption Best Practices

For Vault Owners

1. Use Strong Passwords

   • Minimum 16 characters
   • Include uppercase, lowercase, numbers, symbols
   • Use a password manager
   • Never reuse passwords

2. Enable MFA

   • Use authenticator app (TOTP)
   • Consider hardware security keys (WebAuthn)
   • Store backup codes securely offline

3. Backup Recovery Keys

   • Download and store recovery keys offline
   • Use encrypted USB drive or password manager
   • Keep multiple copies in secure locations
   • Never store in vault itself

4. Review Encryption Settings

   • Enable client-side encryption for sensitive vaults
   • Verify TLS certificate when accessing Torvus
   • Check for HTTPS padlock in browser
   • Review encryption audit logs quarterly

For Developers (API Users)

1. API Key Security

   • Store API keys in environment variables
   • Never commit keys to version control
   • Use .env files (add to .gitignore)
   • Rotate keys quarterly

2. Encrypted API Calls

   //  Correct: HTTPS
   const response = await fetch('https://api.torvussecurity.com/v1/vaults', {
     headers: {
       'Authorization': `Bearer ${process.env.TORVUS_API_KEY}`
     }
   });
   
   // L Wrong: HTTP (plaintext)
   const response = await fetch('http://api.torvussecurity.com/v1/vaults');

3. Validate TLS Certificates

   import requests
   
   #  Correct: Verify certificate
   response = requests.get(
       'https://api.torvussecurity.com/v1/vaults',
       headers={'Authorization': f'Bearer {api_key}'},
       verify=True  # Default, but explicit is better
   )
   
   # L Wrong: Disable certificate validation
   response = requests.get(url, verify=False)

4. Encrypt Sensitive Payloads

   • Encrypt document contents before API upload
   • Use client-side encryption for maximum security
   • Verify recipient's public key before encrypting

For Organizations

1. Encryption Policy

   • Document encryption requirements
   • Mandate client-side encryption for sensitive data
   • Regular encryption audits
   • Employee training on encryption

2. Key Management

   • Centralized key management (SSO with SAML/OIDC)
   • Key escrow for business continuity
   • Documented key recovery procedures
   • Annual key rotation

3. Compliance Verification

   • Regular security audits
   • Penetration testing (annual)
   • Encryption configuration reviews
   • Compliance certifications (SOC 2, ISO 27001)

---

Encryption Auditing

Audit Logging

All encryption operations are logged:

Logged Events:

• Key generation and rotation
• Encryption/decryption operations
• Key access and usage
• Failed decryption attempts
• Key deletion and destruction
• Certificate changes

Log Contents:

• Timestamp (UTC)
• User ID and IP address
• Operation type
• Key identifier (not key value)
• Success/failure status
• Error messages (sanitized)

Compliance Reporting

Available Reports:

• Encryption coverage report (% of data encrypted)
• Key rotation compliance report
• Encryption audit trail
• Data retention compliance report
• GDPR/CCPA compliance report

Report Frequency:

• Real-time dashboards
• Weekly automated reports
• Monthly compliance summaries
• Annual security audits

---

FAQ

Is my data encrypted?

Yes, all data is encrypted:

•  At Rest: AES-256-GCM encryption in database and file storage
•  In Transit: TLS 1.3 for all network communication
•  Backups: Encrypted with separate keys
•  Optional: Client-side end-to-end encryption

Can Torvus decrypt my data?

Server-Side Encryption: Yes, Torvus can decrypt for:

• Search functionality
• Document previews
• Automated virus scanning
• Compliance requirements (with legal process)

Client-Side Encryption (E2EE): No, Torvus cannot decrypt:

• Encryption keys never leave your device
• Zero-knowledge architecture
• Only you and recipients can decrypt

What happens if I lose my encryption key?

Server-Side Encryption:

• No action needed (Torvus manages keys)
• Data remains accessible via your account

Client-Side Encryption:

• Lost Key = Lost Data (by design for security)
• Always backup recovery keys
• Consider key escrow for organizations
• No Torvus recovery possible

How do I verify encryption is working?

Browser Console:

1. Open Developer Tools (F12)
2. Network tab � Select any request
3. Verify https:// protocol
4. Check TLS version (should be 1.3)

API Responses:

• Check encryption_status field in API responses
• Verify encrypted: true for sensitive data
• Review encryption audit logs in dashboard

Does encryption slow down performance?

Minimal Impact:

• Modern CPUs have AES hardware acceleration (AES-NI)
• TLS 1.3 reduces handshake latency
• Encryption adds less than 5ms latency on average
• Caching mitigates decryption overhead

---

Resources

• Security Architecture: Full security infrastructure overview
• Access Control: Authentication and authorization
• Compliance: SOC 2, ISO 27001, GDPR, CCPA
• Vulnerability Disclosure: Report security issues

External Resources:

• NIST Cryptographic Standards
• OWASP Cryptographic Storage Cheat Sheet
• AWS KMS Best Practices

---

Last Updated: October 8, 2025