Key Management Policy

Project / Organization: ~~{{ORG_NAME}}~~ALAI Holding AS — Drop Payment App Policy Number: POL-SEC-KM-~~{{NUMBER}}~~001 Version: ~~{{VERSION}}~~1.0 Date: ~~{{DATE}}~~2026-02-23 Author: ~~{{AUTHOR}}~~Security Architect Status: Draft ~~| In Review | Approved~~ Reviewers: ~~{{REVIEWERS}}~~CISO, CTO, DPO Next Review: ~~{{REVIEW_DATE}}~~2027-02-23 Classification: Confidential — Restricted Distribution

Document History

Version	Date	Author	Changes
0.1	~~{{DATE}}~~2026-02-23	~~{{AUTHOR}}~~Security Architect	Initial draft — Drop key management for AWS KMS + Secrets Manager

1. Purpose & Scope

Purpose: This policy defines the lifecycle management requirements for all cryptographic keys and secrets used by ~~{{ORG_NAME}},~~ALAI Holding AS for the Drop payment app, including generation, distribution, storage, usage, rotation, revocation, and destruction.

Regulatory basis:

Scope: All cryptographic keys and secrets in use across:

~~All production,~~Production, staging, and development environments for Drop
~~All cloud~~AWS infrastructure ~~and~~(KMS, ~~on-premises~~Secrets ~~systems~~Manager, S3, App Runner)
All employee ~~devices~~and contractor workstations handling Confidential or Restricted data
All third-party integrations where ~~{{ORG_NAME}}~~ALAI Holding AS holds keys

Policy Owner: ~~{{CISO_NAME}}~~CISO (~~{{CISO_EMAIL}})~~[email protected]) Operational Owner: ~~{{SECURITY_TEAM}}~~Security team

2. Key Types & PurposesInventory

2.1 Complete Key Taxonomy

~~Key~~ KMS(eu-west-1)

Key ID	Type	Algorithm	Purpose	Data Classification ~~Protected~~	Owner	Storage
~~KEK-01~~`drop-national-id-key`	~~Key~~KEK ~~Encryption~~(Data ~~Key~~Encryption)	AES-~~256~~256-GCM	~~Master~~Fødselsnummer ~~key~~(national ~~for~~ID) ~~encrypting~~field ~~DEKs~~encryption	Restricted (L4)	Security team	AWS KMS (eu-north-1)
~~KEK-02~~`drop-db-master-key`	~~Key~~KEK ~~Encryption~~(Database)	AES-256 XTS	PostgreSQL TDE — Phase 2	Restricted (L4)	Security team	AWS KMS (eu-north-1)
`drop-kyc-key`	KEK (Object)	AES-256-GCM	KYC document encryption (S3 SSE-KMS)	Restricted (L4)	Security team	AWS KMS (eu-north-1)
`drop-backup-key`	KEK (Backup)	AES-256	Database ~~field-level~~backup encryption ~~master~~	Restricted (L4)	Security team
AWS
DEK-*	~~Data~~— ~~Encryption~~separate ~~Key~~	~~AES-256-GCM~~	~~Record-level data encryption~~	~~Confidential/Restricted~~	~~Application~~region
`JWT_SECRET`	Signing secret	HMAC-SHA-256	JWT session token signing	Confidential (L3)	Security team	AWS Secrets Manager
`TLS-EXT`	TLS Certificate ~~Key~~	ECDSA P-256	External HTTPS (getdrop.no)	—	~~Platform~~Cloudflare ~~team~~/ Let's Encrypt	Cloudflare managed
~~TLS-INT~~`BankID-cert`	TLS Certificate ~~Key~~	~~Ed25519~~RSA-2048	~~Internal~~BankID ~~mTLS~~Norway integration JWT verification	—	~~Platform~~BankID ~~team~~Norge AS CA	BankID managed
~~SIG-01~~	~~Signing Key~~	~~Ed25519~~	~~Code/artifact signing~~	—	~~Security team~~
~~SIG-02~~	~~Signing Key~~	~~HMAC-SHA-256~~	~~Webhook signatures~~	—	~~Engineering~~
~~AUTH-01~~	~~Auth Token Key~~	~~RSA-4096~~	~~JWT signing (RS256)~~	—	~~Security team~~
~~AUTH-02~~	~~Auth Token Key~~	~~Ed25519~~	~~JWT signing (EdDSA)~~	—	~~Security team~~
~~BACKUP-01~~	~~Backup Encryption Key~~	~~AES-256-GCM~~	~~Database backup encryption~~	~~Restricted~~	~~Security team~~
`SUMSUB-API-*KEY`	API Key	HMAC-SHA-256	~~Customer~~Sumsub KYC API authentication	Confidential (L3)	~~Engineering~~Security team	AWS Secrets Manager
~~MFA-~~`DEK-*`	~~Secret~~Data ~~Key~~Encryption Keys	~~TOTP (HMAC-SHA1/SHA256)~~AES-256-GCM	~~User~~Per-record ~~MFA~~data ~~secrets~~encryption (envelope pattern)	Restricted (L4)	Application	Generated by AWS KMS `GenerateDataKey`

2.2 Secrets Inventory (Non-KMS)

Secret Name	Purpose	Storage	Rotation
`JWT_SECRET`	JWT token signing	AWS Secrets Manager	Quarterly
`SUMSUB_SECRET_KEY`	Sumsub KYC integration	AWS Secrets Manager	Annual or on compromise
`BANKID_CLIENT_SECRET`	BankID OIDC client secret	AWS Secrets Manager	Per BankID schedule
`DATABASE_URL`	PostgreSQL connection string	AWS Secrets Manager	On DB credential rotation
`SENTRY_DSN`	Sentry error monitoring	AWS Secrets Manager	Annual

3. Key Hierarchy

AWS KMS Root of Trust (eu-north-1 primary)
    │
    ├── drop-national-id-key (AES-256-GCM — annual rotation)
    │       └── DEK-{user_id}-{timestamp}: Per-record envelope DEKs
    │               └── Encrypts: fødselsnummer field in users table
    │               └── Stored: base64(encryptedDEK || iv || tag || ciphertext)
    │
    ├── drop-db-master-key (AES-256 XTS — annual rotation)
    │       └── Encrypts: PostgreSQL database at rest (Phase 2 — AWS RDS)
    │
    ├── drop-kyc-key (AES-256-GCM — annual rotation)
    │       └── Encrypts: KYC document objects in AWS S3 (SSE-KMS)
    │
    └── AWS KMS Root of Trust (eu-west-1 — SEPARATE REGION for backups)
            └── drop-backup-key (AES-256 — annual rotation)
                    └── Encrypts: All database backup files

AWS Secrets Manager
    ├── JWT_SECRET (HMAC-SHA-256 — quarterly rotation)
    │       └── Signs: Drop JWT session tokens (HS256 via jose ^6.1.3)
    ├── SUMSUB_SECRET_KEY (API key — annual rotation)
    ├── BANKID_CLIENT_SECRET (OIDC client secret — BankID schedule)
    └── DATABASE_URL (connection string — on rotation)

Cloudflare / Let's Encrypt
    └── TLS Certificate (ECDSA P-256 — 90-day automated rotation)
            └── External HTTPS: getdrop.no

BankID Norge AS CA
    └── BankID Certificate (RSA-2048 — per BankID renewal schedule)
            └── Used for: BankID JWT signature verification

4. Key Lifecycle

3.4.1 Lifecycle Overview

flowchart LR
    GEN[Generation] -->|"Secure,AWS random"KMS CSPRNG"| DIST[Distribution]
    DIST -->|"EncryptedRuntime channel"API call\nnever in env files"| STORE[Storage]
    STORE -->|"AccessKMS / Secrets Manager\naccess controlled"| USE[Usage]
    USE -->|"Scheduled"| ROT[Rotation]
    ROT -->|"New key active"active\noverlap period"| USE
    ROT -->|"Old key retired"| ARCH[Archive / Revoke]
    ARCH -->|"End of life"| DEST[Destruction]

    REVOKE[Emergency Revocation] -->|"Compromise detected"| DEST
    USE --> REVOKE

3.4.2 Generation

Entropy requirements:

All keys MUST be generated using AWS KMS or a cryptographically secure random number generator (CSPRNG)
~~Minimum entropy: 256 bits for symmetric keys, as specified for asymmetric~~

NEVER ~~use:~~use user-supplied passphrases, timestamps, UUIDs, or predictable values as keys
NEVER generate keys in ~~userspace~~application ~~without~~code anfor ~~established~~Restricted ~~crypto~~data ~~library~~— use AWS KMS GenerateKey or GenerateDataKey

Approved key generation methods:

External

Key Type	Generation Method	Tool
Symmetric (AES-256) KMS keys	KMS `CreateKey` API	AWS KMS (FIPS 140-2 Level 3 HSMs)
Envelope DEKs	KMS `GenerateDataKey` API	AWS KMS
JWT signing secret	`crypto.randomBytes(32).toString('hex')` ~~(Node.js) /~~ `os.urandom(32)` ~~(Python)~~	OSNode.js CSPRNG
~~Asymmetric~~TLS ~~(Ed25519)~~certificates	`opensslACME genpkey -algorithm ed25519`protocol	~~OpenSSL~~Cloudflare ~~1.1.1+~~/ Let's Encrypt
~~Asymmetric~~BankID ~~(ECDSA P-256)~~certificates	`opensslBankID ecparamNorge -nameAS prime256v1 -genkey`CA	~~OpenSSL~~
~~RSA-4096~~	`openssl genrsa -aes256 4096`	~~OpenSSL~~
~~KMS-managed~~	~~KMS GenerateKey API~~	~~Cloud KMS~~
~~HSM-managed~~	~~HSM key generation~~	~~{{HSM_PROVIDER}}~~CA

Generation environment:

~~Keys~~All KMS-managed keys for Restricted data: ~~MUST be~~ generated within AWS KMS ~~or HSM~~HSMs — key material never leaves AWS

JWT_SECRET: generated using crypto.randomBytes(32) then stored in ~~application~~AWS ~~code~~

Secrets

~~Keys for Confidential data: MAY be generated in application code using OS CSPRNG~~Manager
All key generation events ~~MUST~~logged bein ~~logged~~AWS CloudTrail

3.4.3 Distribution

Principles:

Never transmit keys in plaintext over any channel
Never include keys in source code, ~~configuration~~.env files committed to Git, configuration files in VCS, or ~~logs~~log output
Never send keys via email, Slack, or any messaging platform
Always ~~use~~fetch ~~encrypted~~secrets ~~channels~~at ~~with~~application ~~mutual~~runtime ~~authentication~~from ~~for~~AWS ~~key~~Secrets ~~distribution~~Manager or KMS API

Distribution methods:

~~never~~

Scenario	Method	Notes
Application runtime ~~keys~~secrets (JWT_SECRET)	~~Cloud KMS API /~~AWS Secrets Manager API at startup	~~Keys~~Fatal ~~fetched~~error atif ~~runtime~~JWT_SECRET —missing
Envelope DEK generation	AWS KMS `GenerateDataKey` per encryption operation	Key material decrypted in ~~environment~~memory ~~files~~only
Developer access to ~~secrets~~	~~HashiCorp Vault / cloud~~non-production secrets	~~Role-based~~AWS ~~access~~IAM ~~with~~role + MFA	Least privilege
CI/CD pipeline secrets	CIGitHub ~~platform~~Actions encrypted secrets (~~encrypted~~scoped atto ~~rest)~~repo)	~~Scoped to pipeline, rotated~~Rotated per project
~~Cross-system~~BankID ~~key~~client ~~sharing~~secret	~~KMS~~AWS ~~key~~Secrets ~~policies (no key material exchange)~~Manager	~~Grant~~Fetched ~~access~~at ~~to KMS key, not key itself~~
~~Emergency key recovery~~	~~{{ESCROW_PROCESS}}~~	~~Requires dual approval — see §8~~runtime

3.4.4 Storage

Storage ~~hierarchy:~~hierarchy for Drop:

Level 1 — HSMAWS KMS HSMs (HardwareFIPS Security140-2 Module)Level 3)
  ├── Master keysdrop-national-id-key (KEKs)fødselsnummer forencryption)
  Restricted├── datadrop-db-master-key (database TDE — Phase 2)
  ├── drop-kyc-key (KYC document S3 encryption)
  └── Rootdrop-backup-key CA(backup privateencryption keys— eu-west-1)

Level 2 — Cloud KMS (AWS KMSSecrets / Azure Key Vault / GCP Cloud KMS)Manager
  ├── KeyJWT_SECRET Encryption(HMAC Keyssigning for Confidential datakey)
  ├── ServiceSUMSUB_SECRET_KEY signing(API keyskey)
  ├── BANKID_CLIENT_SECRET (OIDC secret)
  └── EncryptedDATABASE_URL DEK(connection storagestring)

Level 3 — Secrets Manager (HashiCorp Vault / AWS Secrets Manager)
  ├── Application secrets (DB passwords, API keys)
  ├── TLS certificate private keys
  └── Derived symmetric keys (encrypted by Level 2 keys)

Level 4 — Application memory (ephemeral only)
  ├── DEKsDecrypted DEK during active useencryption/decryption operation
  └── Decrypted secretsJWT_SECRET during operationtoken Note:signing/verification
  NOTE: NEVER persist Level 43 to disk

Prohibited storage locations:

Source code or config files in ~~VCS~~Git (.env, config.ts, secrets.json)
Application logs or error messages (Sentry, BetterStack)
Unencrypted database columns ~~(for Restricted data)~~
Email attachments or ~~messaging~~Slack ~~platforms~~

~~Shared drives or unencrypted file shares~~messages
Browser localStorage or sessionStorage
~~Environment~~Container ~~variables~~image inlayers ~~container~~(Dockerfile, ~~images~~.dockerignore exclusions not sufficient)

3.4.5 Usage

Access control principles:

Principle	Implementation
Least privilege	~~Keys~~KMS ~~scoped~~key topolicies: ~~minimum~~encrypt-only ~~necessary~~for ~~operations (encrypt-only,~~application, decrypt-~~only,~~only ~~sign-only)~~for compliance function
Separation of duties	Nokey-admin ~~single~~cannot ~~person~~perform ~~can~~decryption; ~~generate~~application +service ~~approve~~cannot +create ~~deploy a key~~keys
Key purpose binding	~~Encryption keys NOT~~`drop-national-id-key` used ~~for signing; signing keys NOT used~~only for national ID encryption — not for other purposes
Audit all access	Every ~~KMS/HSM~~KMS operation logged ~~with~~in ~~actor~~AWS ~~identity~~CloudTrail — actor, key ID, operation, timestamp
Time-bound access	~~Temporary~~IAM ~~access~~role assumption with time-bound session tokens ~~for key operations — not persistent permissions~~

~~Key~~KMS ~~usage~~key ~~audit~~policy ~~requirements:~~roles:

~~All~~

~~logged:~~

~~actor,~~

~~operation,~~

~~key~~

~~ID,~~

~~Logs~~

~~shipped~~

~~SIEM~~

~~within~~

~~patterns~~

IAM Role	Permissions	MFA Required
`drop-key-admin`	CreateKey, ScheduleKeyDeletion, RotateKey — NO Decrypt	YES
`drop-app-encrypt`	`kms:Encrypt`, `kms:GenerateDataKey`	No (service account)
`drop-compliance-decrypt`	`kms:Decrypt` for `drop-national-id-key` ~~operations~~only	YES
`drop-key-auditor`	`kms:ListKeys`, ~~timestamp,~~`kms:DescribeKey`, ~~source~~CloudTrail IPread	YES
`drop-app-runner`	`kms:GenerateDataKey`, 1`kms:Decrypt` ~~minute~~(scoped ~~Unusual~~per ~~access~~key)	No ~~alert~~(IAM ~~within~~role, 5VPC ~~minutes~~constraint)

3.4.6 Rotation Schedule

~~encryption~~

~~DEKs~~

Key ~~Type~~	Rotation Period	Method	Owner	Alert if Overdue
~~KEK (Master keys)~~`drop-national-id-key`	Annual	~~Manual~~AWS +KMS ~~dual~~automatic ~~approval~~key rotation	Security team	Yes — 7 days overdue
~~Database~~`drop-db-master-key`	Annual	AWS KMS automatic key rotation	Security team	Yes — 7 days overdue
`drop-kyc-key`	Annual	AWS KMS automatic key rotation	Security team	Yes — 7 days overdue
`drop-backup-key`	Annual	Manual + AWS KMS rotation	Security team	Yes — 7 days overdue
`JWT_SECRET`	Quarterly	~~Automated~~Manual ~~(key~~— ~~rotation~~generate ~~API)~~new, deploy, rotate	~~Platform~~Security team	Yes — 3 days overdue
TLS ~~certificates~~certificate (~~external)~~getdrop.no)	90 days	Automated (~~cert-manager~~Cloudflare +/ ~~ACME)~~Let's Encrypt)	Platform	Yes — 14 days ~~overdue~~before expiry
~~TLS~~BankID ~~certificates (internal)~~certificate	30Per ~~days~~BankID schedule	~~Automated~~Manual ~~(cert-manager)~~— BankID renewal process	~~Platform~~Security team	Calendar reminder
`SUMSUB_SECRET_KEY`	Annual or on compromise	Manual via Sumsub dashboard	Security team	Yes — 7 days overdue
~~JWT signing keys~~	~~Quarterly~~	~~Automated with overlap period~~	~~Security~~	~~Yes — 3 days overdue~~
~~API signing keys (webhooks)~~	~~Quarterly~~	~~Automated~~	~~Engineering~~	~~Yes — 3 days overdue~~
~~Backup encryption keys~~	~~Annual~~	~~Manual + dual approval~~	~~Security~~	~~Yes — 7 days overdue~~
~~Customer API keys~~	~~On customer request OR 2 years~~	~~Self-service portal~~	~~Customer~~	~~Notify customer 30 days before~~
~~MFA secrets~~	~~On user request or suspected compromise~~	~~Self-service~~	~~User~~	~~N/A~~

~~Rotation~~JWT_SECRET rotation overlap ~~period:~~procedure:

~~Old~~

~~key~~

Generate ~~remains~~new ~~valid~~JWT_SECRET value

Deploy new secret to AWS Secrets Manager

Rolling deploy of Drop app (picks up new secret)

Wait for ~~{{OVERLAP_PERIOD}}~~all ~~after~~existing sessions to expire (max 24h — JWT expiry)

All sessions issued with old secret are now invalid (users re-authenticate)

Delete old secret version from Secrets Manager

AWS KMS automatic rotation: When enabled, AWS KMS generates new key ~~activation~~material toannually ~~allow~~while ~~in-flight~~retaining ~~operations~~all toprior ~~complete.~~

versions

~~Key~~for ~~rotation~~decryption ~~monitoring~~of ~~dashboard:~~existing ~~{{DASHBOARD_URL}}~~ciphertext. Re-encryption of existing data is required when performing cryptographic erasure (GDPR Art. 17).

3.4.7 Revocation Procedures

Trigger conditions for immediate revocation:

Known or suspected key compromise (e.g., key material logged, unauthorized access)
Employee departure ~~(for~~with ~~keys~~access into ~~personal~~key ~~custody)~~management IAM roles
System compromise where key was in use
Legal hold or regulatory requirement
~~Customer~~Detection ~~request~~of ~~(for~~unauthorized ~~customer~~decryption ~~API~~activity ~~keys)~~in CloudTrail logs

Emergency revocation procedure (< 1 hour):

Step 1: Alert Security Lead immediately via #security-incident Slack channel
Step 2: Identify allscope systems— usingwhich thedata was accessible with compromised key?
Step 3: AWS KMS: Disable compromised key (prevents new encrypt/decrypt)
Step 3:4: Generate replacement key (seevia §3.2)KMS CreateKey
Step 4:5: KMS:Re-encrypt Disable/revokeall data protected by compromised key Step(priority: 5:Restricted Deploy new key to all systems (use zero-downtime rotation)first)
Step 6: Update KMS key references in application configuration
Step 7: Deploy updated application configuration
Step 8: Verify all systems using new key
Step 7:9: Audit forCloudTrail: unauthorizedWhat usagedecrypt ofoperations used the compromised key in last 30 days?
Step 8:10: Assess breach notification requirement (see data-breach-response-plan.md §5)
Step 11: Document in incident log
Step 9:12: Post-mortem within 48 hours

~~Certificate~~JWT_SECRET ~~revocation:~~emergency rotation (session compromise):

Step Immediately1: uponGenerate compromise:new RevokeJWT_SECRET viaimmediately
CAStep and2: pushDeploy CRLto update
AWS OCSPSecrets response:Manager
MustStep reflect3: revocationRolling withindeploy {{OCSP_UPDATE_TIME}}
Drop Notifyapplication — all certificatein-flight consumers
sessions

invalidated
Step 4: All users must re-authenticate (acceptable security impact)
Step 5: Document in incident log

3.4.8 Destruction

When destruction is required:

Key has been rotated out and overlap period expired
~~System~~(KMS: ~~decommissioned~~schedule deletion with 30-day waiting period)
Crypto-~~shredding~~shredding: ~~(delete~~deleting ~~encrypted~~user data by destroying ~~its~~the envelope DEK encrypted under drop-national-id-key — (GDPR ~~erasure)~~Art. 17 erasure mechanism)

System decommissioned

Destruction methods:

decryption

Key Location	Destruction Method	Verification
~~HSM~~AWS KMS key	~~HSM secure erase command~~	~~HSM audit log~~
~~Cloud KMS~~	~~KMS scheduled key deletion~~`ScheduleKeyDeletion` (~~min~~ 7-30 day waiting period)	KMS + CloudTrail audit log
AWS Secrets Manager	~~Delete~~`DeleteSecret` ~~secret~~(7-30 +day ~~verify~~waiting period)	~~Audit~~Secrets Manager audit log
Application memory (DEK)	~~Explicitly~~Garbage ~~zero memory~~collection (`memset`/`SecureZeroMemory`)JavaScript — no explicit zeroing in V8 engine)	~~Code~~Process ~~review~~termination
~~Local~~Envelope ~~file~~DEK in database	~~Secure~~Delete ~~delete~~encrypted (`shredDEK -vzu` / `sdelete`)field	~~Hash~~Verify ~~verification~~
~~Backup media~~	~~Physical destruction + certificate~~	~~Destruction certificate~~fails

~~Verification:~~Crypto-shredding for GDPR erasure (Art. 17): ~~Key~~When ~~destruction~~a ~~must~~user berequests ~~verified~~account —deletion:

~~check~~

The envelope DEK for that ~~decryption~~user's ~~with~~fødselsnummer ~~destroyed~~is ~~key~~deleted ~~fails.~~
from
~~Destruction~~the ~~log:~~database

~~Every~~

The ~~key destruction event recorded in {{KEY_DESTRUCTION_LOG_LOCATION}}~~

4. Key Hierarchy

Root of Trust: HSM / Cloud KMS Root
    │
    ├── KEK-01: Database Encryption Master Keyciphertext (annualfødselsnummer) rotation)becomes │permanently ├──unreadable


DEK-DB-{ID}:AML Per-tableretention: encryptiontransaction keyrecords (quarterlyretained rotation)5 │years │but └──user's Encrypts:fødselsnummer Databaseis field-levelunrecoverable
PII
    │       └── DEK-BACKUP-{ID}: Backup encryption key (annual rotation)
    │               └── Encrypts: Database backup files
    │
    ├── KEK-02: Application Secrets Master Key (annual rotation)
    │       ├── DEK-MFA-{ID}: MFA secret encryption key
    │       │       └── Encrypts: User TOTP secrets in database
    │       └── DEK-APIKEY-{ID}: API key material encryption
    │               └── Encrypts: API key secrets in database
    │
    ├── TLS Root CA (10-year validity)
    │       ├── Intermediate CA (2-year validity)
    │       │       ├── External TLS Certificates (90-day)
    │       │       └── Internal mTLS Certificates (30-day)
    │       └── Code Signing CA
    │               └── Release Signing Certificates (1-year)
    │
    └── JWT Signing Keys (Ed25519, quarterly rotation)
            └── Signs: JWT access + refresh tokens

5. Key Management System

Primary KMS: ~~{{KMS_TOOL}}~~AWS KMS (~~e.g.,~~eu-north-1 — Stockholm region) Backup KMS for backups: AWS ~~KMS,~~KMS ~~Azure~~(eu-west-1 ~~Key~~— ~~Vault,~~Ireland) ~~HashiCorp~~for ~~Vault)~~drop-backup-key only ~~Secondary/Backup~~Secrets ~~KMS:~~management: ~~{{SECONDARY_KMS}}~~AWS Secrets Manager (~~separate region/provider)~~ ~~HSM:~~ ~~{{HSM_PROVIDER}} (for highest-classification keys)~~eu-north-1)

Multi-region note: KMS ~~access~~keys ~~control:~~

are

single-region

default.

drop-backup-key

separate

that

outage

does

not

backup

~~Role~~	~~Permissions~~	~~MFA~~intentionally ~~Required~~
`key-admin`	~~Create, rotate, schedule deletion — NO decrypt~~	~~YES~~
`key-user-encrypt`	~~Encrypt only~~	~~YES~~
`key-user-decrypt`	~~Decrypt only~~	~~YES~~
`key-auditor`	~~List, describe, view audit logs — NO cryptographic ops~~	~~YES~~
~~CI/CD pipeline~~	~~Encrypt only~~region (~~specific~~eu-west-1) ~~key~~so ~~IDs)~~	~~N/A~~a ~~(service~~regional ~~account)~~
~~Application~~prevent ~~service~~	~~Encrypt + Decrypt (specific key IDs, specific operations)~~	~~N/A (service account + VPC constraint)~~

restoration.

6. Access Controls for Key Operations

Separation of duties requirements:

Operation	Required Roles	Approval Process
Create new ~~KEK~~KMS key	~~Security Lead~~`drop-key-admin` + CISO approval	~~Dual approval via KMS~~AWS IAM + ticket
Rotate ~~KEK~~KMS key (manual)	~~Security Lead~~`drop-key-admin` (proposer) + CISO (approver)	Dual approval via IAM policy
Emergency ~~revocation~~key disable	Security Lead (any ~~one of)~~one)	Single ~~with~~— immediate incident ticket required
~~Destroy~~Schedule key deletion	~~Security Lead~~`drop-key-admin` + CISO ~~+ Legal (if litigation hold)~~	~~Triple~~Dual approval — minimum 7-day waiting period
Grant new service access to key	Security Lead + system owner	~~Peer~~IAM PR review + approval
Rotate JWT_SECRET	Security Lead	Single — with deployment coordination

7. Key Escrow & Recovery

~~Escrow policy:~~ ~~KEKs and backup encryption keys must be escrowed.~~

~~Escrow process:~~

~~Key generated in KMS/HSM~~

~~Key material exported (encrypted under escrow master key) — only where KMS allows export~~

~~Exported material split into {{N}} shares using Shamir's Secret Sharing (requires {{K}} of {{N}} shares to reconstruct)~~

~~Shares distributed to: {{SHARE_HOLDER_1}}, {{SHARE_HOLDER_2}}, {{SHARE_HOLDER_3}}~~

~~Share holders store in secure location (safe deposit box or equivalent)~~

~~Quarterly: Verify shares exist and holders still accessible~~

~~Recovery procedure (requires {{K}} share holders):~~

~~Incident Commander opens emergency key recovery ticket~~

~~{{K}} share holders convene (in person or secure video call)~~

~~Shares combined to reconstruct key material~~

~~Key imported into KMS~~

~~Full event logged and post-mortem required~~

~~Note:~~ ~~For cloud KMS-only keys that cannot be exported: Rely on KMS redundancy (multi-region replication) — no separate escrow needed.~~

8. Audit Logging for Key Operations

All key operations ~~logged,~~logged in AWS CloudTrail, including:

Key ~~generation~~creation (actor, key ID, key type, timestamp)
~~Key encryption/~~Encryption/decryption (actor, key ID, ~~data~~ context, timestamp)
Key rotation (actor, old key ~~ID,~~version, new key ~~ID,~~version, timestamp)
Key ~~revocation~~disabling / deletion scheduling (actor, key ID, reason, ~~timestamp)~~

~~Key destruction (actor, key ID, verification hash,~~ timestamp)
Access grant/revoke (actor, grantee, key ID, permissions, timestamp)
Failed access attempts (actor, key ID, reason, timestamp)

Log destination: ~~{{SIEM_TOOL}}~~AWS —CloudTrail → S3 (immutable, append-~~only~~only) + BetterStack aggregation Log retention: 25 years (~~PCI-DSS)~~AML /compliance ~~3 years (SOC 2)~~minimum — ~~whichever~~Hvitvaskingsloven is§ ~~longer~~30) Alert on:

~~Unusual~~

~~access~~

Decrypt ~~volume,~~operations ~~off-hours~~by ~~access~~unexpected toIAM ~~KEKs,~~role

~~failed~~

Failed KMS access attempts > 3 in 5 minutes

Off-hours access to drop-national-id-key or drop-kyc-key

Any ScheduleKeyDeletion event (immediate alert)

8. Fødselsnummer Field Encryption — Implementation Pattern

Key: drop-national-id-key (AWS KMS — separate from database master key) Stored: Only AES-256-GCM ciphertext — never plaintext fødselsnummer in database

// Envelope encryption for fødselsnummer — src/drop-app/src/lib/encrypt.ts (Phase 2)
// Key: drop-national-id-key (AWS KMS — separate from db master)
// Stored: base64(encryptedDEK || iv || tag || ciphertext)

async function encryptNationalId(fodselsnummer: string): Promise<string> {
    const iv = crypto.randomBytes(12);  // 96-bit random IV — never reused
    const dek = await kmsClient.generateDataKey({
        KeyId: process.env.NATIONAL_ID_KEY_ARN,
        KeySpec: 'AES_256'
    });
    const cipher = crypto.createCipheriv('aes-256-gcm', dek.Plaintext, iv);
    const ciphertext = Buffer.concat([cipher.update(fodselsnummer, 'utf8'), cipher.final()]);
    const tag = cipher.getAuthTag();
    // Securely zero DEK plaintext from memory after use
    dek.Plaintext.fill(0);
    // Return: base64(encryptedDEK || iv || tag || ciphertext)
    return Buffer.concat([dek.CiphertextBlob, iv, tag, ciphertext]).toString('base64');
}

async function decryptNationalId(encrypted: string): Promise<string> {
    const buf = Buffer.from(encrypted, 'base64');
    // AWS KMS CiphertextBlob is always 184 bytes for AES_256 DEK
    const encryptedDek = buf.subarray(0, 184);
    const iv = buf.subarray(184, 196);          // 12 bytes
    const tag = buf.subarray(196, 212);          // 16 bytes
    const ciphertext = buf.subarray(212);
    const dek = await kmsClient.decrypt({ CiphertextBlob: encryptedDek });
    const decipher = crypto.createDecipheriv('aes-256-gcm', dek.Plaintext, iv);
    decipher.setAuthTag(tag);
    const plaintext = decipher.update(ciphertext) + decipher.final('utf8');
    dek.Plaintext.fill(0);
    return plaintext;
}

Access restriction: Only the Compliance function (KYC verification, AML reporting) has IAM access to drop-compliance-decrypt role. Application code cannot decrypt fødselsnummer except during explicit compliance workflows.

9. ComplianceException MappingProcess

Exceptions are not permitted for: Restricted (L4) data (fødselsnummer, KYC documents) — no exceptions to field-level encryption requirement.

Exception request process:

Submit request to: [email protected]

Required: system, data classification, key being excepted, business justification, risk assessment, compensating controls, proposed exception duration (max 12 months)

Approval required from: CISO

Exceptions logged in: compliance register

Review: Quarterly — exceptions exceeding 12 months require board-level approval

Active exceptions:

~~KMS~~

encryption;

public

~~Requirement~~System	~~Standard~~Exception	~~Control~~Expiry	Compensating Controls
~~Encryption~~JWT ~~key~~signing ~~management~~(HS256 shared secret)	~~PCI-DSS~~Shared-secret ~~Req.~~JWT ~~3.7~~instead of asymmetric RS256/EdDSA	~~This~~Phase ~~policy~~2 +migration	JWT_SECRET ~~implementation~~in AWS Secrets Manager; 24h session expiry; server-side revocation table
~~Cryptographic~~SQLite ~~key~~MVP ~~protection~~(no column-level TDE)	~~PCI-DSS~~Filesystem ~~Req.~~encryption ~~3.7.1~~only, no PostgreSQL TDE	~~HSM~~Phase ~~for~~2 ~~KEKs + KMS for DEKs~~
~~Key custodian documentation~~migration	~~PCI-DSS~~Full ~~Req.~~disk ~~3.7.2~~	~~Key~~private ~~inventory~~network; ~~table~~no ~~(§2)~~
~~Key rotation~~	~~PCI-DSS Req. 3.7.4~~	~~Rotation schedule (§3.6)~~
~~Retired key replacement~~	~~PCI-DSS Req. 3.7.5~~	~~Rotation + revocation procedures~~
~~Split knowledge~~	~~PCI-DSS Req. 3.7.6~~	~~Shamir's Secret Sharing (§7)~~
~~Key destruction~~	~~PCI-DSS Req. 3.7.7~~	~~Destruction procedures (§3.8)~~
~~Access controls~~	~~SOC 2 CC6.1~~	~~Access controls table (§6)~~
~~Cryptographic controls~~	~~ISO 27001 A.10~~	~~This entire policy~~
~~Personal data encryption~~	~~GDPR Art. 32~~	~~See data-encryption-policy.md~~access

10. Emergency Procedures — Key Compromise

Immediate response checklist (execute within 1 hour of suspected compromise):

□ Activate incident response:response #incident-key-compromise-{{DATE}}— □ Notify:notify: Security Lead + CISO + Engineering LeadCTO
□ Identify scope: Which data was accessible with compromised key?
□ RevokeAWS KMS: Disable compromised key immediately
□ For JWT_SECRET compromise: rotate immediately (seeall §3.7)sessions invalidated)
□ Generate new replacement key
□ Re-encrypt all data that was protected by compromised key □(Restricted Rotatedata all derived keys that used compromised key as sourcefirst)
□ Audit logs:CloudTrail: What was decrypted using the compromised key in the pastlast 30 days?
□ Assess if breach notification requiredrequirement (see data-breach-response-plan.md §5)
   → GDPR Art. 33 / Personopplysningsloven § 32: 72h to Datatilsynet if personal data affected
   → Finanstilsynet notification if payment data affected
□ Document everything in incident log
□ Post-mortem within 48 hours

Re-encryption ~~priority order:~~priority:

~~Most sensitive data first~~Fødselsnummer (drop-national-id-key) — Restricted →(L4), ~~Confidential~~highest ~~→ Internal)~~priority
~~Most~~KYC ~~recently accessed data first~~documents (~~likely~~drop-kyc-key) to— ~~have~~Restricted ~~been targeted)~~(L4)
~~Oldest~~Database ~~data~~backup ~~last~~files (~~historical~~drop-backup-key) ~~data,~~— ~~lower~~Restricted ~~immediate~~(L4)

~~risk)~~

Database master (drop-db-master-key) — Phase 2

~~Estimated re-encryption time for {{N}} records:~~ ~~{{ESTIMATE}} — plan for {{ESTIMATE × SAFETY_FACTOR}}~~

Approval

Role	Name	Date
Author	Security Architect	2026-02-23
CISO
CTO
DPO (~~compliance~~GDPR relevance)
Management