Data Encryption Policy

Project / Organization: ~~{{ORG_NAME}}~~ALAI Holding AS — Drop Payment App Policy Number: POL-SEC-~~{{NUMBER}}~~ENC-001 Version: ~~{{VERSION}}~~1.0 Date: ~~{{DATE}}~~2026-02-23 Author: ~~{{AUTHOR}}~~Security Architect Status: Draft ~~| In Review | Approved~~ Reviewers: ~~{{REVIEWERS}}~~CISO, CTO, DPO Next Review: ~~{{REVIEW_DATE}}~~2027-02-23 Classification: Confidential

Document History

Version	Date	Author	Changes
0.1	~~{{DATE}}~~2026-02-23	~~{{AUTHOR}}~~Security Architect	Initial draft — Drop encryption standards

1. Purpose & Scope

Purpose: This policy defines the minimum encryption standards for data at rest, in transit, and at the application level across all systems operated by ~~{{ORG_NAME}}.~~ALAI Holding AS for the Drop payment app.

Regulatory basis:

Scope: This policy applies to:

All systems, applications, and infrastructure operated by ~~{{ORG_NAME}}~~ALAI Holding AS for Drop
All employees, contractors, and third parties with access to ~~{{ORG_NAME}}~~Drop systems
All data classified as Internal, Confidential, or Restricted (see compliance-framework.md §5)7)
All cloud ~~environments,~~environments ~~on-premises~~(AWS ~~systems,~~App Runner, S3) and developer workstations

Exceptions: Public-facing static content (HTML, CSS, ~~JS files,~~JS, public ~~images)~~exchange rate data) does not require encryption at rest beyond transport layer security.

2. Encryption Standards & Approved Algorithms

2.1 Approved Algorithms

Symmetric Encryption

preferred;providesconfidentiality (nationalID) IV~~per~~

Use Case	Algorithm	Key Size	Mode	Notes
Data at rest (general)	AES	256-bit	GCM	Authenticated encryption — ~~preferred~~
~~Data at rest (legacy/interop)~~	~~AES~~	~~256-bit~~	~~CBC~~	~~Only with HMAC-SHA-256 for~~+ integrity
~~Stream~~Fødselsnummer ~~encryption~~	~~ChaCha20-Poly1305~~	~~256-bit~~	—	~~Alternative to AES on non-AES-NI hardware~~
~~File~~field encryption	AES	256-bit	GCM	~~With~~Separate ~~random~~key ~~96-~~from database master; application layer
KYC document encryption	AES	256-bit	GCM	Stored ~~file~~in S3 with SSE-KMS
Database backups	AES	256-bit	GCM	Separate backup KMS key in separate AWS region
Log encryption	AES	256-bit	GCM	Rotation every 90 days

Asymmetric Encryption

JWT KMSkey

Use Case	Algorithm	Key Size	Notes
~~Key~~TLS key exchange ~~/ TLS~~	ECDHE	P-256 ~~/ P-384~~	~~Prefer~~Cloudflare ~~P-384~~+ ~~for~~AWS ~~Confidential/Restricted~~App ~~data~~Runner
~~Digital~~BankID ~~signatures~~	~~Ed25519~~	~~256-bit~~	~~Preferred for new systems~~
~~Digital signatures (legacy)~~verification	RSA	~~4096-~~2048-bit (BankID certificate)	~~Only~~BankID ~~where~~Norway ~~Ed25519~~certificate ~~not supported~~authority
Code signing	Ed25519	256-bit	~~All~~CI/CD ~~release~~artifact ~~artifacts~~signing
~~Certificate~~AWS ~~signing~~	~~RSA~~	~~4096-bit~~	~~For CA certificates only~~
~~Encryption (hybrid)~~wrapping	RSA-OAEP	4096-bit	~~Encrypt DEK with RSA when ECC not available~~AWS-managed

Hashing & Password Storage

Use Case	Algorithm	Parameters	Notes
Password hashing	~~Argon2id~~	~~m=65536, t=3, p=4~~	~~Preferred~~ ~~for new systems~~
~~Password hashing (legacy)~~	bcrypt	cost factor ≥ 12	~~Acceptable~~`bcryptjs` if^3.0.3 ~~Argon2~~— ~~not~~pure ~~available~~JS; SHA-256 legacy support REMOVED (fix C4)
~~Data~~JWT ~~integrity~~token hashing (~~general)~~session lookup)	SHA-256	—	~~For~~Session ~~non-security-critical~~table ~~hashing~~stores SHA-256(JWT) for revocation check
HMAC (~~message~~webhook ~~auth)~~signatures)	HMAC-SHA-256	—	For ~~webhook signatures,~~ API ~~tokens~~
~~File integrity~~	~~SHA-256~~	—	~~For artifact verification~~
~~Token derivation~~	~~HKDF-SHA-256~~	—	~~For deriving keys from master key~~integrations

Source: src/drop-app/src/lib/utils-server.ts:8-16 (bcrypt); src/drop-app/src/lib/auth.ts (JWT)

2.2 Prohibited Algorithms (NEVER USE)

Algorithm	Reason	~~Migration Required By~~Status
MD5	Collision attacks (2004+)	~~Already prohibited~~Prohibited
SHA-1	Collision attacks (2017+)	~~Already prohibited~~Prohibited
DES / 3DES	Key size insufficient	~~Already prohibited~~Prohibited
RC4	Statistical biases	~~Already prohibited~~Prohibited
ECB mode (any cipher)	Leaks data patterns	~~Already prohibited~~Prohibited
RSA < 2048-bit	Insufficient key strength	~~Already prohibited~~Prohibited
~~AES-128~~SHA-256 ~~(Restricted~~for ~~data)~~password hashing	~~Insufficient~~Not ~~for~~a ~~Restricted~~password ~~classification~~hash — no salt/stretching	~~Upgrade~~REMOVED by(security ~~{{DATE}}~~fix C4, 2026-02-13)

Critical fix (C4): SHA-256 legacy password support was completely removed in the 2026-02-13 hardening. verifyPassword() now only accepts bcrypt hashes. Source: src/drop-app/src/lib/utils-server.ts:14-19.

3. Encryption at Rest

3.1 Database Encryption

~~PII)~~

Database	Method	Key Management	Classification Coverage
~~PostgreSQL~~SQLite (~~primary)~~current MVP)	~~TDE~~OS-level ~~via~~full-disk ~~cloud provider (AES-256)~~encryption	~~Cloud~~Platform ~~KMS~~(AWS)	All classifications
PostgreSQL — Phase 2 (~~field-level~~primary)	AES-256 TDE via AWS RDS	AWS KMS — `drop-db-master-key`	All classifications
PostgreSQL — fødselsnummer field	AES-256-GCM atapplication layer	AWS KMS — `drop-national-id-key` (SEPARATE)	Restricted (L4)
PostgreSQL — KYC documents	AES-256-GCM application layer	~~Application~~AWS KMS — `drop-kyc-key`	~~Confidential /~~ Restricted
~~Redis~~	~~Cloud provider encryption~~ (~~AES-256)~~	~~Cloud KMS~~	~~Internal / Confidential~~
~~Elasticsearch~~	~~AES-256 (X-Pack security)~~	~~Cloud KMS~~	~~Internal~~L4)

Implementation pattern ~~(field-level):~~— fødselsnummer field encryption:

// Envelope encryption for PIIfødselsnummer
fields// Key: drop-national-id-key (AWS KMS — separate from db master)
// Stored: Only AES-256-GCM ciphertext — never plaintext in DB
// Access: Compliance function only, via role-based KMS key policy

async function encryptField(plaintext:encryptNationalId(fodselsnummer: string): Promise<string> {
    // 1. Generate random DEK
    const dek = crypto.randomBytes(32);
    // 2. Encrypt DEK with KEK from KMS
    const encryptedDek = await kmsClient.encrypt({ KeyId: KEK_ARN, Plaintext: dek });
    // 3. Encrypt data with DEK
    const iv = crypto.randomBytes(12);  // 96-bit random IV
    const dek = await kmsClient.generateDataKey({ KeyId: NATIONAL_ID_KEY_ARN, KeySpec: 'AES_256' });
    const cipher = crypto.createCipheriv('aes-256-gcm', dek,dek.Plaintext, iv);
    const ciphertext = Buffer.concat([cipher.update(plaintext)fodselsnummer, 'utf8'), cipher.final()]);
    const tag = cipher.getAuthTag();
    // 4. Return: base64(encryptedDekencryptedDEK || iv || tag || ciphertext)
    return Buffer.concat([encryptedDek,dek.CiphertextBlob, iv, tag, ciphertext]).toString('base64');
}

Card data note (critical fix C1): Cards feature is gated behind feature flags (all default false). No full PAN or CVV is ever stored. Only last_four and token_ref are stored. Card issuance will use a PCI-compliant partner (Marqeta/Lithic). Source: src/drop-app/src/lib/feature-flags.ts.

3.2 File / Object Storage Encryption

development

Storage	Method	Key Management	Notes
AWS S3 /— ~~GCS~~KYC ~~/ Azure Blob~~documents	SSE-KMS (AES-256)	~~Cloud~~AWS KMS — ~~per-bucket~~ `drop-kyc-key`	Server-side encryption, per-object
~~Backup~~AWS ~~files~~S3 — backups	SSE-KMS (AES-~~256-GCM~~256)	AWS KMS — `drop-backup-key` (separate region)	Separate ~~backup~~key ~~KMS~~from ~~key~~	~~Keys in different account~~primary
Developer ~~local storage~~workstations	OS-level full disk encryption	Platform key (FileVault /on ~~BitLocker)~~macOS)	Required for all ~~devices~~
~~USB / portable media~~	~~AES-256~~	~~Password + AES-256~~	~~Prohibited for Restricted data~~machines

3.3 Backup Encryption

All database backups MUST be encrypted before transfer off primary system.
pg_dumpKey: |drop-backup-key gzip | gpg --encrypt --recipient {{BACKUP_KEY_ID}} > backup.sql.gz.gpg

Backup encryption key: Stored in separate(AWS KMS region— eu-west-1 region, separate from primary Backupeu-north-1)
key rotation:Rotation: Annual
Retention: 30 days rolling

Backup keyverification: escrow:Monthly Storedrestore withtest {{ESCROW_LOCATION}}— see beredskapsplan.md

4. Encryption in Transit

4.1 TLS Configuration Standards

~~Minimum~~External-facing ~~TLS~~services ~~version:~~(Cloudflare + AWS App Runner):

~~External-facing services:~~Minimum TLS ~~1.2~~version: (TLS 1.3 ~~preferred)~~(enforced at Cloudflare edge)
~~Internal service-to-service:~~ TLS 1.32: Not supported (~~enforced)~~Cloudflare configuration)
~~Legacy~~HTTP ~~system~~→ ~~support:~~HTTPS: ~~Documented~~Automatic ~~exception~~redirect ~~required~~(HTTP 301)

Approved cipher suites (TLS 1.3):

TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256  (minimum — prefer 256)

~~Approved~~HSTS ~~cipher suites~~configuration (~~TLS~~source: ~~1.2 — for backwards compatibility only)~~next.config.ts):

ECDHE-ECDSA-AES256-GCM-SHA384Strict-Transport-Security: ECDHE-RSA-AES256-GCM-SHA384max-age=63072000; ECDHE-ECDSA-CHACHA20-POLY1305includeSubDomains; ECDHE-RSA-CHACHA20-POLY1305preload

Prohibited TLS configurations:

TLS 1.0 and TLS 1.1 — prohibited (Cloudflare blocks)
SSL 2.0 / SSL 3.0 — prohibited
RC4 cipher suites — prohibited
~~Export-grade cipher suites — prohibited~~

NULL ~~cipher suites — prohibited~~

~~Anonymous DH~~ cipher suites — prohibited

4.2 Certificate Management

Certificate Type	Validity	Authority	Rotation	Monitoring
External TLS (*.{{DOMAIN}})getdrop.no)	90 days	Let's Encrypt /(via ~~{{CA}}~~Cloudflare)	Automated ~~(cert-manager)~~	Alert 3014 days before expiry
~~Internal~~BankID ~~service~~integration ~~TLS~~certificate	30Per ~~days~~BankID schedule	~~Internal~~BankID Norge AS CA ~~({{TOOL}})~~	~~Automated~~	~~Alert 7 days before expiry~~
~~Code signing~~	~~1 year~~	~~{{CA}}~~	Manual — BankID renewal process	Calendar reminder
~~Root~~AWS CAinternal certificates	~~10 years~~AWS-managed	~~Self-signed~~AWS Certificate Manager	~~Manual~~AWS-managed	~~Calendar~~AWS ~~reminder~~CloudWatch alerts

~~Certificate monitoring:~~ ~~{{CERT_MONITORING_TOOL}} — alert channel: #security-alerts~~

4.3 mTLS for Internal ServiceAPI Communication

All service-to-serviceDrop API traffic:
  Client → Cloudflare: TLS 1.3 (edge termination)
  Cloudflare → AWS App Runner: TLS 1.3 (re-encrypted)

Open Banking API calls within(AISP/PISP the— clusterPhase MUST2):
  useDrop mTLS.API Implementation:→ {{ISTIOBank API: TLS 1.3 + OAuth 2.0 / LINKERDeIDAS /certificate

cert-managerhttpOnly /cookie custom}}security:
  Certificatesecure: generation: SPIFFE/SVID standard
Rotation: Every {{ROTATION_PERIOD}} — automated via sidecar
Verification: Server verifies client cert against trusted CA
Service identity: SPIFFE URItrue (e.g.,HTTPS-only spiffe://{{TRUST_DOMAIN}}/ns/{{NS}}/sa/{{SERVICE_ACCOUNT}})transport)
  sameSite: 'strict' (CSRF protection)
  Source: src/drop-app/src/lib/auth.ts:48-54

5. Application-Level Encryption

5.1 Field-Level Encryption

When required: All fields classified as Restricted (L4) must be encrypted at the application layer, in addition to database-level encryption.

Fields requiring field-level encryption:

Field	Table	Classification	Key
`mfa_secretnational_id_encrypted`	`users`	Restricted (L4)	`USER_MFA_KEYdrop-national-id-key` (AWS KMS)
`{{PII_FIELD}}kyc_document_ref`	`{{TABLE}}users` / `kyc_records`	~~Confidential~~Restricted (L4)	`USER_PII_KEYdrop-kyc-key` (AWS KMS)
`api_key_secretbankid_sub`	`api_keysusers`	~~Restricted~~Confidential (L3)	`API_KEY_KEY`Database TDE
`{{FINANCIAL_FIELD}}token_hash`	`{{TABLE}}sessions`	~~Restricted~~Confidential (L3)	`FINANCIAL_KEY`Database TDE (SHA-256 hash — not raw token)

5.2 EnvelopeJWT EncryptionToken Security

Algorithm: HS256 (HMAC-SHA-256) Library: jose ^6.1.3 Configuration:

Master// KeySource: (KEK)src/drop-app/src/lib/auth.ts
const token = await new SignJWT({ userId, role })
    .setProtectedHeader({ alg: 'HS256' })
    .setIssuedAt()
    .setExpirationTime('24h')
    .sign(new TextEncoder().encode(process.env.JWT_SECRET));

Production requirement: JWT_SECRET env var is required — ~~stored~~throws infatal ~~KMS,~~error ~~never~~if ~~loaded into application memory ↓~~missing (~~KMS~~dev ~~encrypt~~fallback ~~operation)~~uses ~~Data~~process.cwd() ~~Encryption~~hash).

~~Key~~

Phase 2 upgrade path: Migrate to RS256 (~~DEK)~~RSA) —or ~~generated per record/session, encrypted by KEK ↓~~EdDSA (~~application~~Ed25519) ~~encrypt~~for ~~operation~~better —key ~~AES-256-GCM)~~rotation ~~Data~~support —and ~~encrypted~~multi-service ~~at rest, decrypted only on read DEK lifetime: - Per-session DEKs: lifetime of session - Per-record DEKs: same as record (stored encrypted alongside data) - Bulk DEKs: rotate every {{ROTATION_PERIOD}}~~ verification.

5.3 Tokenization

~~What~~Payment data: Drop uses a pass-through PSD2 model — no card numbers stored. Cards feature gated behind feature flags (all default false). When cards feature is ~~tokenized:~~activated ~~Payment~~in ~~card~~future: ~~data, bank account numbers~~ ~~Implementation:~~ ~~{{PAYMENT_PROVIDER}} handles~~PCI-compliant tokenization via partner (Marqeta/Lithic) — weDrop ~~store tokens~~stores only ~~Format-preserving~~last_four ~~encryption:~~+ ~~{{YES/NO}} — {{TOOL}} for {{USE_CASE}}~~token_ref.

6. Key Management

Full policy: key-management-policy.md

Summary

Key Type	KMS	Rotation	Owner
~~Master~~Fødselsnummer encryption ~~keys (KEKs)~~key	~~{{KMS_TOOL}}~~AWS KMS (`drop-national-id-key`)	Annual	Security team
~~Data~~Database ~~encryption~~master ~~keys (DEKs)~~key	~~Application-managed~~AWS KMS (`drop-db-master-key`)	~~Per rotation policy~~Annual	~~Engineering~~Security team
~~TLS~~KYC ~~certificates~~document key	~~cert-manager~~AWS KMS (`drop-kyc-key`)	~~90 days / 30 days~~Annual	~~Platform~~Security team
~~API~~Backup encryption key	AWS KMS — separate region	Annual	Security team
JWT signing ~~keys~~secret	~~{{KMS_TOOL}}~~AWS Secrets Manager (`JWT_SECRET`)	Quarterly	Security team
~~Backup~~BankID ~~encryption keys~~certificates	~~{{KMS_TOOL}}~~BankID ~~(separate~~Norge ~~region)~~AS CA	~~Annual~~Per BankID schedule	~~Security~~BankID ~~team~~Norge AS
TLS certificates (external)	Cloudflare / Let's Encrypt	90 days (automated)	Platform

7. Cryptographic Inventory

PhasePhase90-day Rotation:

System	Algorithm	Key Size	Mode	Key Location	~~Last Rotated~~	~~Next Rotation~~Notes
SQLite (current)	OS disk encryption	Platform	XTS	Platform	MVP only
PostgreSQL TDE (Phase 2)	AES-256	256-bit	XTS	~~Cloud~~AWS KMS `drop-db-master-key`	~~{{DATE}}~~	~~{{DATE}}~~2
~~User PII~~Fødselsnummer field encryption	AES-256-GCM	256-bit	GCM	~~App~~AWS KMS `drop-national-id-key`	~~{{DATE}}~~	~~{{DATE}}~~2 — separate key
External TLS	ECDSA P-256	256-bit	~~GCM~~—	~~cert-manager~~Cloudflare / Let's Encrypt	~~{{DATE}}~~	~~{{DATE}}~~cert
~~Internal~~JWT ~~TLS (mTLS)~~	~~Ed25519~~	~~256-bit~~	—	~~cert-manager~~	~~{{DATE}}~~	~~{{DATE}}~~
~~Password hashing~~	~~Argon2id~~	~~m=65536,t=3~~	—	~~N/A~~	~~N/A~~	~~N/A~~
~~API key hashing~~signing	HMAC-SHA-256	256-bit	—	~~App~~AWS ~~secrets~~Secrets Manager	~~{{DATE}}~~	~~{{DATE}}~~quarterly
S3Password ~~bucket encryption~~hashing	~~AES-~~bcrypt	cost=12	—	N/A	`bcryptjs` library
Session token lookup	SHA-256 ~~(SSE-KMS)~~	256-bit	—	~~Cloud~~N/A	Hash stored in sessions table
S3 backup encryption	AES-256 SSE-KMS	~~{{DATE}}~~256-bit	~~Annual~~—	AWS KMS `drop-backup-key`	Separate region

8. Algorithm Deprecation Schedule

Algorithm	Current Usage	Deprecation Date	Migration Target	~~Migration Owner~~	Status
~~RSA-2048~~SHA-256 ~~(old~~for ~~API keys)~~passwords	~~{{N}}~~REMOVED ~~keys~~(fix C4, 2026-02-13)	~~{{DATE}}~~Removed	~~RSA-4096 or Ed25519~~bcrypt(12)	~~Engineering~~	~~In progress~~
~~AES-128 ({{SYSTEM}})~~	~~{{USAGE}}~~	~~{{DATE}}~~	~~AES-256~~	~~Engineering~~	~~TODO~~DONE
bcrypt ~~cost~~→ ~~< 12~~Argon2id	~~Legacy~~All user ~~hashes~~passwords	~~{{DATE}}~~2027-Q1	Argon2id (m=65536,t=3,p=4)	~~Engineering~~	~~TODO~~Planned
~~SHA-256~~HS256 ~~(Restricted~~JWT ~~data)~~→ RS256/EdDSA	~~{{USAGE}}~~JWT signing	~~{{DATE}}~~Phase 2	~~SHA-384~~Ed25519 (EdDSA)	~~Engineering~~Planned
SQLite TDE → PostgreSQL TDE	~~TODO~~Database	Phase 2	PostgreSQL + AWS KMS	Planned

9. Exception Process

Exceptions are not permitted for: Restricted (L4) data (fødselsnummer, KYC documents) — no exceptions.

Exception request process:

Submit exception request to: ~~{{SECURITY_TEAM_EMAIL}}~~[email protected]
Required information:
- ~~System and~~system, data ~~classification~~classification, ~~affected~~
- ~~Algorithm/standard~~algorithm being ~~excepted~~excepted, ~~from~~
- ~~Business~~justification, ~~justification~~
- ~~Risk~~assessment, ~~assessment~~
- ~~Compensating~~controls, ~~controls~~
- ~~Proposed~~proposed exception duration (max 12 months)
Approval required from: CISO
Exceptions logged in: ~~{{EXCEPTION_REGISTER_LOCATION}}~~compliance register (internal)
Review: Quarterly — exceptions ~~that cannot be remediated within~~exceeding 12 months require board-level approval

Active exceptions:

System	Exception	Expiry	Compensating Controls
~~{{LEGACY_SYSTEM}}~~JWT signing (HS256)	~~TLS~~Shared-secret ~~1.2~~JWT ~~(TLS~~instead ~~1.3~~of ~~not~~asymmetric ~~supported)~~keys	~~{{DATE}}~~Phase 2	~~Isolated~~JWT_SECRET ~~network~~in ~~segment~~AWS +Secrets ~~IDS~~Manager; ~~monitoring~~short expiry (24h); session revocation table
SQLite (MVP)	Filesystem encryption only, no column-level TDE	Phase 2 migration	Full disk encryption; private network; no public DB access

Approval

Role	Name	Date
Author	Security Architect	2026-02-23
CISO
CTO
DPO (GDPR relevance)
Management