Internal Documentation

Encryption Key Management Policy

Purpose

This policy outlines the procedures and guidelines for managing encryption keys within our organization to ensure the confidentiality, integrity, and availability of our systems and data. This policy is designed to comply with SOC 2 requirements and industry best practices.

Scope

This policy applies to all encryption keys used within our organization, including but not limited to:

  • TLS certificates
  • Application-specific encryption keys (e.g., Laravel APP_KEY)

TLS Certificate Management

Certificate Authority

  • Our TLS certificates are managed by Fly.io, which uses Let’s Encrypt as the Certificate Authority.

Certificate Renewal

  • Let’s Encrypt certificates are automatically renewed by Fly.io before expiration.
  • The renewal process is automated and does not require manual intervention.

Monitoring

  • IT staff will monitor the Fly.io dashboard regularly to ensure proper functioning of the TLS certificate management system.
  • Any issues with certificate renewal or expiration will be addressed immediately.

Laravel APP_KEY Management

Key Generation

  • The Laravel APP_KEY is a 32-character random string used for all encrypted data.
  • The key is generated using Laravel’s built-in key generation mechanism.

Key Storage

  • The APP_KEY is stored in the Doppler secrets manager, and integrated with the Laravel application on VM bootup in the Fly environment.
  • Access to environments within Doppler are restricted to authorized personnel only.

Key Rotation

  • The APP_KEY will be rotated once every 6 months.
  • The rotation process will be performed by a designated team member.

Rotation Procedure

  1. Generate a new APP_KEY using Laravel’s artisan key:generate command, for each environment.
  2. Update the Doppler environments with the new APP_KEY.
  3. Deploy the changes to all environments (development, staging, production).
  4. Verify that all systems are functioning correctly with the new key.
  5. Securely delete the old key from all systems.

Emergency Key Rotation

  • In case of a suspected key compromise, an emergency key rotation will be performed immediately following the same procedure as the regular rotation.

Access Control

  • Access to encryption keys and systems managing these keys is restricted to authorized personnel only.
  • Access rights are reviewed quarterly and updated as needed.

Backup and Recovery

  • Encryption keys are included in the regular backup process.
  • Recovery procedures are documented and tested annually to ensure keys can be restored if needed.

Incident Response

  • Any suspected or confirmed compromise of encryption keys must be reported immediately to the security team.
  • The incident response plan will be activated, which may include emergency key rotation and system audits.

Compliance and Audit

  • This policy and related procedures will be reviewed annually to ensure compliance with SOC 2 requirements and industry best practices.
  • Regular audits will be conducted to verify adherence to this policy.

Training

  • All personnel involved in the management of encryption keys will receive appropriate training on this policy and related procedures.

Policy Review

  • This policy will be reviewed annually and updated as necessary to reflect changes in our systems, processes, or regulatory requirements.

Visibility

This document is confidential and is a proprietary work product of Cadence OneFive. The information contained herein may not be copied or distributed without the specific written consent of Cadence OneFive.