Key Management Policy

Project / Organization: ALAI Holding AS — Drop Payment App Policy Number: POL-SEC-KM-001 Version: 1.0 Date: 2026-02-23 Author: ~~ALAI~~ Security ~~Team~~Architect Status: Draft Reviewers: CISO, CTO, DPO Next Review: 2027-02-23 ~~(annual) or after Phase 2 AWS KMS integration~~ Classification: Confidential — Restricted Distribution

Document History

Version	Date	Author	Changes
0.1	2026-02-12	~~Security Agent (ALAI)~~	~~Initial standards from security audit~~
~~1.0~~	~~2026-02-~~23	Security Architect ~~(ALAI)~~	~~Policy~~Initial ~~document~~draft — Drop key management for AWS KMS + Secrets Manager

~~Sources:~~ legal/ikt-sikkerhetspolicy.md §6.3, docs/SECURITY-COMPLIANCE/data-encryption-policy.md, security/security-hardening-implementation.md

1. Purpose & Scope

Purpose: This policy defines the lifecycle management requirements for all cryptographic keys and secrets used by ALAI Holding AS infor the Drop payment ~~application.~~app, ~~Drop~~including ~~processes~~generation, ~~regulated~~distribution, ~~financial~~storage, ~~data~~usage, ~~(fødselsnummer,~~rotation, ~~bank~~revocation, ~~accounts,~~and ~~transaction~~destruction.

~~data,~~

Regulatory ~~AML~~basis:

~~records)~~

Scope: All cryptographic keys and secrets in use across:

Production, staging, and development environments for Drop

AWS infrastructure (KMS, Secrets Manager, S3, App Runner)
All ~~cloud~~employee ~~infrastructure~~and ~~(AWS — EEA regions, Phase 2+)~~

~~All developer~~contractor workstations handling Confidential or Restricted data
All third-party integrations where ALAI Holding AS holds ~~keys (Sumsub, Neonomics, Swan, BankID)~~

~~JWT signing keys, database encryption keys, TLS certificate private keys, API authentication~~ keys

Policy Owner: ~~Alem Bašić,~~ CISO (~~alem@alai.~~security@getdrop.no) Operational Owner: ~~ALAI Platform/~~Security team

2. Key Types & PurposesInventory

2.1 CurrentComplete MVPKey KeysTaxonomy

~~var~~

Key ID	Type	Algorithm	Purpose	Data Classification ~~Protected~~	~~Location~~Owner	Storage
~~JWT-01~~`drop-national-id-key`	~~JWT Signing Key~~KEK	~~HMAC-SHA-256 (HS256)~~AES-256-GCM	~~Sign~~Foedselsnummer ~~and~~field ~~verify JWT session tokens~~encryption	~~All~~Restricted ~~user data~~(L4)	`JWT_SECRET`Security ~~env~~team	AWS KMS (eu-north-1)
`drop-db-master-key`	KEK (Database)	AES-256 XTS	PostgreSQL TDE — Phase 2	Restricted (L4)	Security team	AWS KMS (eu-north-1)
`drop-kyc-key`	KEK (Object)	AES-256-GCM	KYC document encryption (S3 SSE-KMS)	Restricted (L4)	Security team	AWS KMS (eu-north-1)
`drop-backup-key`	KEK (Backup)	AES-256	Database backup encryption	Restricted (L4)	Security team	AWS KMS (eu-west-1) — separate region
`JWT_SECRET`	Signing secret	HMAC-SHA-256	JWT session token signing (HS256)	Confidential (L3)	Security team	AWS Secrets Manager
`TLS-EXT`	TLS Certificate ~~Key~~	ECDSA P-256	External HTTPS (getdrop.no)	~~All transit data~~—	~~Hosting~~Cloudflare ~~provider~~/ Let's Encrypt	Cloudflare managed
~~SUMSUB-01~~`BankID-cert`	~~Webhook~~TLS ~~HMAC Key~~Certificate	~~HMAC-SHA-256~~RSA-2048	~~Verify~~BankID ~~Sumsub~~Norway ~~KYC~~JWT ~~webhooks~~signature verification	~~KYC data integrity~~—	`SUMSUB_WEBHOOK_SECRET`BankID ~~env~~Norge ~~var~~AS CA	BankID managed
~~SENTRY-01~~`SUMSUB-API-KEY`	~~DSN Token~~	~~Bearer token~~	~~Sentry error reporting~~	~~Error data~~	`SENTRY_DSN` ~~env var~~

2.2 Phase 2 Target Keys (AWS KMS)

~~Key ID~~	~~Type~~	~~Algorithm~~	~~Purpose~~	~~Classification Protected~~	~~Owner~~
~~KEK-01~~	~~Key Encryption Key~~	~~AES-256~~	~~Master key for database DEKs~~	~~Restricted~~	~~Security team~~
~~KEK-02~~	~~Key Encryption Key~~	~~AES-256~~	~~Fødselsnummer encryption master~~	~~Restricted (L4)~~	~~Security team~~
DEK-PII-*	~~Data Encryption Key~~	~~AES-256-GCM~~	~~Per-record PII field encryption~~	~~Confidential/Restricted~~	~~Application~~
DEK-FNR-*	~~Data Encryption Key~~	~~AES-256-GCM~~	~~Fødselsnummer field encryption~~	~~Restricted~~	~~Application~~
~~TLS-EXT~~	~~TLS Certificate Key~~	~~ECDSA P-256~~	~~External HTTPS~~	—	~~Platform team~~
~~TLS-INT~~	~~TLS Certificate Key~~	~~Ed25519~~	~~Internal mTLS (Phase 3)~~	—	~~Platform team~~
~~JWT-02~~	~~JWT Signing Key~~	~~RS256 (RSA-4096) or EdDSA~~	~~Asymmetric JWT signing~~	—	~~Security team~~
~~BACKUP-01~~	~~Backup Encryption Key~~	~~AES-256-GCM~~	~~Database backup encryption~~	~~Restricted~~	~~Security team~~
~~SUMSUB-01~~	~~Webhook HMAC~~API Key	HMAC-SHA-256	Sumsub ~~webhook~~KYC ~~verification~~API authentication	~~KYC~~Confidential ~~data integrity~~(L3)	~~Engineering~~Security team	AWS Secrets Manager
~~NEONOMICS-01~~`DEK-*`	~~OAuth~~Data ~~Client~~Encryption ~~Secret~~Keys	~~HMAC-SHA-256~~AES-256-GCM	~~PSD2~~Per-record ~~API~~envelope ~~authentication~~DEKs	—Restricted (L4)	~~Engineering~~Application	Generated by AWS KMS `GenerateDataKey`

2.2 Secrets Inventory (AWS Secrets Manager)

Secret Name	Purpose	Rotation
`JWT_SECRET`	JWT token signing	Quarterly
~~SWAN-01~~`SUMSUB_SECRET_KEY`	~~OAuth~~Sumsub ~~Client~~KYC ~~Secret~~integration	~~HMAC-SHA-256~~Annual or on compromise
`BANKID_CLIENT_SECRET`	~~Swan~~BankID ~~banking~~OIDC ~~API~~client secret	—Per BankID schedule
`DATABASE_URL`	~~Engineering~~PostgreSQL connection string	On DB credential rotation
`SENTRY_DSN`	Sentry error monitoring	Annual

3. Key Hierarchy

AWS KMS Root of Trust (eu-north-1 primary — Stockholm)
    |
    +-- drop-national-id-key (AES-256-GCM — annual rotation)
    |       +-- DEK-{user_id}-{timestamp}: Per-record envelope DEKs
    |               +-- Encrypts: foedselsnummer field in users table
    |               +-- Stored: base64(encryptedDEK || iv || tag || ciphertext)
    |
    +-- drop-db-master-key (AES-256 XTS — annual rotation)
    |       +-- Encrypts: PostgreSQL database at rest (Phase 2 — AWS RDS)
    |
    +-- drop-kyc-key (AES-256-GCM — annual rotation)
    |       +-- Encrypts: KYC document objects in AWS S3 (SSE-KMS)
    |
    +-- AWS KMS Root of Trust (eu-west-1 — SEPARATE REGION)
            +-- drop-backup-key (AES-256 — annual rotation)
                    +-- Encrypts: All database backup files

AWS Secrets Manager (eu-north-1)
    +-- JWT_SECRET (HMAC-SHA-256 — quarterly rotation)
    |       +-- Signs: Drop JWT session tokens (HS256 via jose ^6.1.3)
    +-- SUMSUB_SECRET_KEY (API key — annual)
    +-- BANKID_CLIENT_SECRET (OIDC client secret)
    +-- DATABASE_URL (connection string)

Cloudflare / Let's Encrypt
    +-- TLS Certificate (ECDSA P-256 — 90-day automated rotation)
            +-- External HTTPS: getdrop.no

BankID Norge AS CA
    +-- BankID Certificate (RSA-2048 — per BankID renewal schedule)
            +-- Used for: BankID JWT signature verification (Phase 2)

4. Key Lifecycle

3.4.1 Lifecycle Overview

Generationflowchart (CSPRNGLR
    /GEN[Generation] -->|"AWS KMS /CSPRNG"| HSM)DIST[Distribution]
    ↓DIST Distribution-->|"Runtime (encryptedAPI channelcall\nnever onlyin —env neverfiles"| plaintext)STORE[Storage]
    ↓STORE Storage (-->|"KMS / Secrets ManagerManager\naccess controlled"| USE[Usage]
    USE -->|"Scheduled"| ROT[Rotation]
    ROT -->|"New key active\noverlap period"| USE
    ROT -->|"Old key retired"| ARCH[Archive / envRevoke]
    varARCH —-->|"End neverof inlife"| code)DEST[Destruction]

    ↓REVOKE[Emergency UsageRevocation] (access-->|"Compromise controlled,detected"| allDEST
    operationsUSE logged)--> ↓
Rotation (scheduled — see §3.6)
    ↓
Revocation (on compromise — immediate)
    ↓
Destruction (secure erase — verified)REVOKE

3.4.2 Generation

Entropy requirements:

All keys MUST be generated using AWS KMS or a ~~cryptographically secure random number generator (CSPRNG)~~

~~Minimum entropy: 256 bits for symmetric keys~~CSPRNG
NEVER ~~use: timestamps, UUIDs,~~use user-supplied passphrases, timestamps, UUIDs, or predictable values as keys
NEVER generate ~~Restricted (L4)~~ keys in application code for Restricted data — use AWS KMS GenerateKey ~~API~~or GenerateDataKey

Approved key generation methods:

(

Key Type	Generation Method	~~Notes~~Tool
Symmetric (AES-256) KMS keys	KMS `CreateKey` API	AWS KMS (FIPS 140-2 Level 3 HSMs)
Envelope DEKs	KMS `GenerateDataKey` API	AWS KMS
JWT signing secret ~~(HS256)~~	`crypto.randomBytes(32).toString('hex')`	Node.js ~~OS CSPRNG)~~	~~256-bit~~CSPRNG
~~AES-256~~TLS ~~DEK~~certificates	`crypto.randomBytes(32)`ACME protocol	~~256-bit~~Cloudflare / Let's Encrypt
~~ECDSA~~BankID ~~P-256~~certificates	`opensslBankID ecparamNorge -nameAS prime256v1 -genkey -noout`CA	~~TLS~~External ~~certs~~
~~Ed25519~~	`openssl genpkey -algorithm ed25519`	~~JWT signing (Phase 2)~~
~~RSA-4096~~	`openssl genrsa -aes256 4096`	~~Legacy JWT (Phase 2)~~
~~AWS KMS-managed~~	~~AWS KMS~~ `GenerateKey` ~~API~~	~~Restricted data keys~~
~~HMAC-SHA-256~~	`crypto.randomBytes(32)` ~~as key material~~	~~Webhook verification~~CA

~~Current~~Generation ~~MVP:~~environment: JWT_SECRET ~~is generated and set as environment variable by operator at deployment. Must be cryptographically random — minimum 32 bytes.~~

~~Generation~~

~~environment~~

All ~~rule:~~KMS-managed ~~Keys~~keys ~~protecting~~for Restricted ~~(L4) data (fødselsnummer) MUST be~~data: generated within AWS KMS HSMs — key material never leaves AWS

JWT_SECRET: generated using crypto.randomBytes(32) then stored in ~~application~~AWS ~~code.~~
Secrets Manager

All key generation events logged in AWS CloudTrail

3.4.3 Distribution

Principles:

~~Never~~NEVER transmit keys in plaintext over any channel
~~Never~~NEVER include keys in source code, ~~config~~.env files committed to ~~version control,~~Git, or ~~logs~~log output
~~Never~~NEVER send keys via email, Slack, or any messaging platform
~~Never~~Always ~~hardcode~~fetch ~~keys~~secrets —at ~~fatal~~application ~~error~~runtime iffrom JWT_SECRETAWS ~~not~~Secrets ~~set~~Manager inor ~~production~~KMS ~~(enforced in~~ auth.ts)API

Distribution methods:

~~environment~~ in

Scenario	Method	Notes
~~Production~~Application runtime ~~keys~~secrets (JWT_SECRET)	AWS Secrets Manager ~~(Phase~~API 2)at /startup	Fatal ~~variables~~error ~~(MVP)~~if JWT_SECRET missing
Envelope DEK generation	AWS KMS `GenerateDataKey` per encryption operation	Key material decrypted in memory only
Developer ~~secrets~~access	~~1Password~~AWS /IAM ~~Vaultwarden~~role —+ ~~never~~MFA	Least `.env` ~~committed to git~~privilege
CI/CD pipeline secrets	GitHub Actions encrypted secrets (~~scoped~~scoped)	Rotated per ~~environment)~~
~~Third-party API keys~~	~~AWS Secrets Manager (Phase 2) / Vaultwarden for local dev~~
~~Emergency key recovery~~	~~Dual approval process — see §7~~project

~~Current MVP protection:~~ .env ~~file excluded from git via~~ .gitignore. JWT_SECRET ~~fatal error if missing in production enforced in~~ src/drop-app/src/lib/auth.ts.

3.4.4 Storage

Storage hierarchy ~~(Phase~~for ~~2 target):~~Drop:

Level 1 — AWS KMS HSMs (HSM-backed)FIPS ├──140-2 KEK-01:Level Master3)
  +-- drop-national-id-key for(foedselsnummer encryption)
  +-- drop-db-master-key (database PIITDE field— Phase 2)
  +-- drop-kyc-key (KYC document S3 encryption)
  +-- drop-backup-key (backup encryption ├──— KEK-02: Master key for fødselsnummer encryption (separate key)
  └── Root of trust for all derived keyseu-west-1)

Level 2 — AWS Secrets Manager
  ├──+-- JWT_SECRET (orHMAC JWTsigning privatekey)
  key+-- for RS256)
  ├── Database passwordSUMSUB_SECRET_KEY (PostgreSQL)API ├──key)
  Sumsub+-- webhookBANKID_CLIENT_SECRET HMAC(OIDC keysecret)
  ├──+-- NeonomicsDATABASE_URL OAuth(connection client secret
  ├── Swan OAuth client secret
  └── BankID client credentialsstring)

Level 3 — Application memory (ephemeral only)
  ├──+-- DEKsDecrypted DEK during active encryption/decryption
  └──+-- Decrypted secretsJWT_SECRET during requesttoken handlingsigning/verification
  Note:NOTE: NEVER persist Level 3 to disk
or logs

Level 4 — CI/CD (GitHub Actions secrets)
  ├── Staging environment secrets
  └── Deployment credentials (scoped to specific environments)

~~Current MVP storage (pre-AWS):~~

JWT_SECRET~~: Environment variable — set at deployment by operator~~

~~Third-party API keys: Vaultwarden (vault.basicconsulting.no) for local dev, environment variables in deployment~~

Prohibited storage locations:

Source code or config files in ~~version control (~~.env ~~in git)~~Git
Application logs or ~~Sentry~~error ~~error~~messages (Sentry, BetterStack)

Unencrypted database columns

Email attachments or Slack messages
Browser localStorage or sessionStorage
~~Email~~Container ~~attachments~~image ~~or Slack messages~~

~~Unencrypted database columns for Restricted data~~layers

3.4.5 Usage

Access control principles:

Principle	Implementation
Least privilege	~~JWT secret only accessible by auth service; each integration~~KMS key ~~scoped~~policies: toencrypt-only ~~its~~for ~~service~~application, decrypt-only for compliance function
Separation of duties	~~Key~~key-admin ~~generation~~cannot ~~separate~~perform ~~from~~decryption; ~~key~~application ~~deployment~~service ~~approval~~cannot create keys
Key purpose binding	~~JWT signing~~ `drop-national-id-key not` used ~~for data encryption; encryption keys not used~~only for ~~signing~~national ID encryption
Audit all access	~~All AWS~~Every KMS ~~operations~~operation logged in AWS CloudTrail ~~(Phase 2)~~
NoTime-bound ~~sharing~~access	~~Each~~IAM ~~environment~~role ~~(dev/staging/prod)~~assumption ~~has~~with ~~separate~~time-bound ~~keys~~session tokens

~~Current enforcement:~~ JWT_SECRET ~~loaded at startup only, fatal if missing. No~~KMS key ~~ever~~policy ~~returned~~roles:

in~~APIresponses.Sessionstored~~as~~hashesonly.~~

IAM ~~tokens~~Role	Permissions	MFA ~~SHA-256~~Required
`drop-key-admin`	CreateKey, ScheduleKeyDeletion, RotateKey — NO Decrypt	YES
`drop-app-encrypt`	`kms:Encrypt`, `kms:GenerateDataKey`	No (service account)
`drop-compliance-decrypt`	`kms:Decrypt` for `drop-national-id-key` only	YES
`drop-key-auditor`	`kms:ListKeys`, `kms:DescribeKey`, CloudTrail read	YES
`drop-app-runner`	`kms:GenerateDataKey`, `kms:Decrypt` (scoped per key)	No (IAM role)

3.4.6 Rotation Schedule

~~signing~~

Key ~~Type~~	Rotation Period	Method	Owner	Alert if Overdue
~~JWT~~`drop-national-id-key`	Annual	AWS KMS automatic key (`JWT_SECRET`)	~~Quarterly~~	~~Rotation with overlap period (old valid 24h)~~rotation	Security team	Yes — 7 days overdue
~~Database KEK (AES-256, Phase 2)~~`drop-db-master-key`	Annual	AWS KMS automatic key rotation	Security team	~~Yes — 14 days overdue~~
~~Database DEKs (PII, Phase 2)~~	~~Quarterly~~	~~Automated via key rotation API~~	~~Platform~~	Yes — 7 days overdue
`drop-kyc-key`	Annual	AWS KMS automatic key rotation	Security team	Yes — 7 days overdue
`drop-backup-key`	Annual	Manual + AWS KMS rotation	Security team	Yes — 7 days overdue
`JWT_SECRET`	Quarterly	Manual — generate new, deploy, rotate	Security team	Yes — 3 days overdue
TLS ~~certificates~~certificate (~~external)~~getdrop.no)	90 days	Automated (Cloudflare / Let's ~~Encrypt / cert-manager)~~Encrypt)	Platform	Yes — 14 days before expiry
~~TLS~~BankID ~~certificates (internal, Phase 3)~~certificate	30Per ~~days~~BankID schedule	~~Automated~~Manual — BankID renewal process	~~Platform~~Security team	~~Yes~~Calendar ~~— 7 days before expiry~~reminder
~~Sumsub webhook key~~`SUMSUB_SECRET_KEY`	~~Annually~~Annual or on ~~Sumsub rotation~~compromise	Manual via Sumsub dashboard	~~Engineering~~	~~Yes~~
~~Neonomics OAuth secret~~	~~Per Neonomics policy~~	~~Via Neonomics developer portal~~	~~Engineering~~	~~Yes~~
~~Swan OAuth secret~~	~~Per Swan policy~~	~~Via Swan developer portal~~	~~Engineering~~	~~Yes~~
~~Backup encryption key (Phase 2)~~	~~Annual~~	~~Manual + dual approval~~	Security team	Yes — 7 days overdue

~~JWT~~JWT_SECRET rotation ~~overlap:~~overlap procedure:

~~Old~~

Generate new JWT_SECRET ~~remains~~value

~~valid~~

Deploy new secret to AWS Secrets Manager

Rolling deploy of Drop app (picks up new secret)

Wait for 24all ~~hours~~existing ~~after~~sessions to expire (max 24h — JWT expiry)

All sessions issued with old secret are now invalid — users re-authenticate

Delete old secret version from Secrets Manager

AWS KMS automatic rotation: AWS KMS generates new key ~~activation~~material toannually ~~allow~~while ~~in-flight~~retaining ~~sessions~~all toprior ~~complete. Users are NOT logged out on rotation.~~

~~Rotation monitoring:~~ ~~Calendar reminders~~versions for ~~manual~~decryption ~~rotations.~~of ~~AWS~~existing ~~KMS rotation alerts for automated keys (Phase 2).~~ciphertext.

3.4.7 Revocation Procedures

Trigger conditions for immediate revocation:

Known or suspected key compromise (key material logged, unauthorized access)
Employee departure ~~(for~~with ~~keys~~key inmanagement ~~personal~~IAM ~~knowledge)~~role access
System compromise where key was in use
~~Regulatory~~Detection ~~requirement~~of orunauthorized ~~law~~decryption ~~enforcement~~in ~~order~~

CloudTrail

~~Vendor security breach (Sumsub, Neonomics, Swan notify Drop)~~logs

Emergency ~~JWT~~ revocation procedure (target: < 1 hour):

Step 1: Alert Security Lead via #security-incident Slack channel
Step 2: Identify scope — which data was accessible with compromised key?
Step 3: AWS KMS: Disable compromised key (prevents new encrypt/decrypt)
Step 4: Generate replacement key via KMS CreateKey
Step 5: Re-encrypt all data protected by compromised key (Restricted first)
Step 6: Update KMS key references in application configuration
Step 7: Deploy updated configuration
Step 8: Verify all systems using new key
Step 9: Audit CloudTrail: What decrypt operations used compromised key in last 30 days?
Step 10: Assess breach notification requirement (data-breach-response-plan.md §5)
         -> GDPR Art. 33 / Personopplysningsloven § 32: 72h to Datatilsynet if personal data affected
         -> Finanstilsynet notification if payment data affected
Step 11: Document in incident log
Step 12: Post-mortem within 48 hours

JWT_SECRET emergency rotation (session compromise):

Step 1: Generate new JWT_SECRET immediately
Step 2: Deploy new secret to productionAWS (zero-downtime:Secrets old valid 5min overlap)Manager
Step 3: AllRolling existingdeploy Drop application — all in-flight sessions will be invalidated (revoke all in sessions table)
Step 4: UsersAll users must re-authenticate
(expected UX impact — communicate via status page)
Step 5: Audit all sessions active during compromise window
Step 6: Assess if breach notification required (see data-breach-response-plan.md)
Step 7: Document in incident log
Step 8: Post-mortem within 48 hours

~~Database key revocation (Phase 2):~~

~~Disable compromised key in AWS KMS~~

~~Re-encrypt all data protected by compromised key with new key~~

~~Priority: Restricted (L4) data first → Confidential → Internal~~

~~Certificate revocation:~~

~~Immediately upon compromise: Revoke via CA (Let's Encrypt ACME revoke)~~

~~Notify all certificate consumers~~

~~OCSP response updated within 1 hour~~

3.4.8 Destruction

When destruction is required:

Key ~~has been~~ rotated out and overlap period expired
Crypto-shredding: deleting user foedselsnummer by destroying envelope DEK (GDPR Art. 17)

System decommissioned

~~GDPR erasure via crypto-shredding (destroy key → all data encrypted with it is unreadable)~~

Destruction methods:

decryption

Key Location	Destruction Method	Verification
AWS KMS key	~~KMS scheduled key deletion~~`ScheduleKeyDeletion` (7-30 day ~~minimum~~ waiting period)	KMS + CloudTrail audit log
AWS Secrets Manager	~~Delete~~`DeleteSecret` ~~secret,~~(7-30 ~~verify~~day ~~via~~waiting ~~API~~period)	~~Audit~~Secrets Manager audit log
~~Environment~~Envelope ~~variable~~DEK in database	~~Remove~~Delete ~~from~~encrypted ~~deployment~~DEK ~~config, redeploy~~field	~~Deployment~~Verify ~~verification~~
~~Application memory~~	~~Language runtime GC (explicit~~ `Buffer.fill(0)` ~~for sensitive buffers)~~	~~Code review~~
~~Local .env file~~	`shred -vzu .env` ~~on developer machine~~	~~Developer responsibility~~fails

~~Verification:~~Crypto-shredding for GDPR erasure (Art. 17): ~~After~~When ~~destruction,~~a ~~confirm~~user requests account deletion:

The envelope DEK for that ~~decryption~~user's ~~with~~foedselsnummer ~~destroyed~~is ~~key fails on a test ciphertext.~~

~~Destruction log:~~ ~~Document every key destruction in~~ legal/internkontroll.md ~~with: key ID, date, reason, verification method, actor.~~

4. Key Hierarchy (Phase 2 Target)

AWS KMS Root (HSM-backed — EEA region)
    │
    ├── KEK-01: General PII Encryption Master (annual rotation)
    │       └── DEK-PII-{ID}: Per-record PII field DEKs (quarterly rotation)
    │               └── Encrypts: name-as-stored, email, phone (if field-encrypted)
    │
    ├── KEK-02: Fødselsnummer Master Key (annual rotation — SEPARATEdeleted from KEK-01)the │database


└──The DEK-FNR-{ID}: Fødselsnummer field DEKsciphertext (quarterlyfoedselsnummer) rotation)becomes │permanently └──unreadable
Encrypts: users.fodselsnummer (national ID — L4 Restricted)
    │
    ├── KEK-03: AML/KYC Records Master (annual rotation)
    │       └── DEK-AML-{ID}: AML recordretention: DEKs
    │               └── Encrypts: KYC documents, AML investigationtransaction records │retained ├──5 BACKUP-KEK:years Backupper EncryptionHvitvaskingsloven Master§ (annual30
rotation — different KMS region)
    │       └── Encrypts: All database backup snapshots
    │
    ├── TLS Root CA (managed by cert-manager / Let's Encrypt)
    │       ├── External TLS Certificate (*.getdrop.no — 90 day rotation)
    │       └── Internal mTLS Certificates (30 day rotation — Phase 3)
    │
    └── JWT Signing Keys (quarterly rotation)
            Current: JWT_SECRET (HS256 — symmetric)
            Phase 2: Private key (EdDSA or RSA-4096 — asymmetric)

5. Key Management System

~~MVP (Current):~~

~~JWT secret: environment variable with OS CSPRNG generation~~

~~Third-party secrets: Vaultwarden (vault.basicconsulting.no) for local dev~~

~~No formal KMS — acceptable for pre-production MVP~~

~~Phase 2 Target:~~

Primary KMS: AWS KMS (~~EEA region~~eu-north-1 — Stockholm region) Backup KMS: AWS KMS (eu-west-1 ~~Ireland~~— orIreland) ~~eu-central-1~~for ~~Frankfurt)~~

drop-backup-key

only — separate region for disaster recovery Secrets ~~Manager:~~management: AWS Secrets Manager ~~for application secrets~~

~~Secondary:~~ ~~AWS KMS cross-region replication for disaster recovery~~

~~HSM:~~ ~~AWS CloudHSM~~ (~~for KEK-02 fødselsnummer — L4 Restricted data)~~

~~KMS access control (Phase 2):~~eu-north-1)

~~Role~~	~~Permissions~~	~~MFA Required~~
`key-admin`	~~Create, rotate, schedule deletion — NO decrypt~~	~~YES~~
`key-encrypt`	~~Encrypt only (specific key IDs)~~	~~YES~~
`key-decrypt`	~~Decrypt only (specific key IDs)~~	~~YES~~
`key-auditor`	~~List, describe, view audit logs — no crypto ops~~	~~YES~~
~~CI/CD pipeline~~	~~Encrypt only (staging key IDs)~~	~~N/A (service account)~~
~~Application service~~	~~Encrypt + Decrypt (specific keys, VPC constraint)~~	~~N/A (IAM role)~~

6. Access Controls for Key Operations

~~Separation of duties:~~

~~(Phase 2:~~ deployment

Operation	Required ~~Approval~~Roles	Approval Process
Create new ~~KEK~~KMS key	~~CISO~~`drop-key-admin` + ~~second~~CISO ~~approver~~approval	AWS IAM ~~dual~~+ ~~approval)~~ticket
Rotate KMS key (manual)	~~Documented~~`drop-key-admin` ~~request~~(proposer) + CISO (approver)	Dual approval
Emergency key disable	Security Lead (any one)	Single — immediate incident ticket
Schedule key deletion	`drop-key-admin` + CISO	Dual approval — minimum 7-day waiting period
Grant new service access	Security Lead + system owner	IAM PR review + approval
Rotate ~~KEK~~JWT_SECRET	~~CISO~~Security ~~(proposer) + second approver~~Lead	~~Calendar~~Single ~~rotation~~— +with ~~documentation~~
~~Emergency revocation~~	~~CISO alone (time-critical)~~	~~Immediate + incident ticket within 1 hour~~
~~Destroy key~~	~~CISO + Legal (if litigation hold)~~	~~Written approval before KMS deletion~~
~~Grant service access to key~~	~~CISO + system owner~~	~~IAM policy review~~coordination

~~Current MVP:~~ ~~Alem Bašić (CEO/CISO) is sole key custodian. Dual approval to be implemented when team is hired (Phase 2).~~

7. KeyFoedselsnummer EscrowField &Encryption Recovery— Implementation Pattern

~~Escrow policy:~~Key: ~~JWT signing~~ drop-national-id-key and backup encryption keys must have recovery path.


Current MVP recovery:


JWT_SECRET recovery:(AWS Re-generateKMS — separate from CSPRNG,database redeploy.master Allkey)
usersStored: re-authenticate.
Only IfAES-256-GCM ciphertext — never plaintext foedselsnummer in database
Source: JWT_SECRETsrc/drop-app/src/lib/encrypt.ts is lost: Service restarts with new secret. All sessions invalidated. This is acceptable for MVP.


(Phase 2 escrowimplementation)

// Envelope encryption for KEKsfoedselsnummer
// Key: drop-national-id-key (AWS KMS)
// Stored: base64(encryptedDEK || iv || tag || ciphertext)

async function encryptNationalId(fodselsnummer: string):
 Promise<string> AWS{
    KMSconst providesiv multi-region= redundancycrypto.randomBytes(12);  // 96-bit random IV — nonever separatereused
    escrowconst neededdek for= KMS-onlyawait keys
kmsClient.generateDataKey({
        AWSKeyId: KMSprocess.env.NATIONAL_ID_KEY_ARN,
        deletionKeySpec: 'AES_256'
    });
    const cipher = crypto.createCipheriv('aes-256-gcm', dek.Plaintext, iv);
    const ciphertext = Buffer.concat([cipher.update(fodselsnummer, 'utf8'), cipher.final()]);
    const tag = cipher.getAuthTag();
    dek.Plaintext.fill(0);  // Zero DEK plaintext from memory after use
    // Return: base64(encryptedDEK || iv || tag || ciphertext)
    return Buffer.concat([dek.CiphertextBlob, iv, tag, ciphertext]).toString('base64');
}

Access restriction: Only the Compliance function has minimumIAM 7-day waiting period (protection against accidental deletion)
AWS KMS CloudTrail provides full audit trail


Phase 2 escrow for Backup encryption key (offline):


Key material exported encrypted from AWS KMS (if exportable) OR

Backup KMS key replicationaccess to seconddrop-compliance-decrypt regionrole. (recommendedApplication forcode KMS-nativecannot keys)
decrypt Physicalfoedselsnummer escrow:except Encryptedduring keyexplicit filecompliance stored in fireproof safe + separate secure off-site copy

Access: Requires CISO + one designated board member

Verification: Quarterly — confirm escrow holders can access


Recovery procedure (Phase 2):workflows.


CISO opens emergency key recovery request (documented)

Escrow holder(s) convene

Key material combined and imported to KMS

All key recovery events logged and post-mortem required within 48 hours



8. Audit Logging for Key Operations
All key operations mustlogged bein logged:AWS CloudTrail, including:

Key generation:creation (actor, key ID, key type, timestamptimestamp)
Encryption/decryption:decryption (actor, key ID, operation,context, timestamp (not data content)timestamp)
Key rotation:rotation (actor, old key ID,version, new key ID,version, timestamptimestamp)
Key revocation:disabling / deletion scheduling (actor, key ID, reason, timestamp

Key destruction: actor, key ID, verification, timestamp

Access grant/revoke: actor, grantee, key ID, permissions, timestamptimestamp)
Failed access attempts:attempts (actor, key ID, reason, timestamptimestamp)

Log destination (Phase 2):destination: AWS CloudTrail → SIEMS3 — (immutable, append-onlyonly) Current+ MVP:BetterStack Manualaggregation
log in legal/internkontroll.md for all key operations

Log retention: 5 years (AML compliance — Hvitvaskingsloven § 30)
— key operation logs are AML-relevant

Alert on:

Off-hoursDecrypt accessoperations toby KEKsunexpected IAM role
Failed KMS access attempts > 3 in 5 minutes
KeyOff-hours deletionaccess scheduledto drop-national-id-key or drop-kyc-key
KeyAny rotationScheduleKeyDeletion overdueevent (immediate alert)


9. ComplianceException MappingProcess

Exceptions not permitted for: Restricted (L4) data (foedselsnummer, KYC documents) — no exceptions to field-level encryption.

Exception request process:


Submit request to: [email protected]

Required: system, data classification, key being excepted, business justification, risk assessment, compensating controls, duration (max 12 months)

Approval: CISO

Logged in: compliance register

Review: Quarterly — exceptions > 12 months require board-level approval


Active exceptions:

KMS2

encryption;publicDB






























RequirementSystem
StandardException
ControlExpiry Compensating Controls




EncryptionJWT keysigning management(HS256 shared secret)
GDPRShared-secret Art.JWT 32instead of asymmetric RS256/EdDSA
ThisPhase policy2 +migration
JWT_SECRET implementationin AWS Secrets Manager; 24h session expiry; server-side revocation table


CryptographicSQLite keyMVP protection(no column-level TDE)
DORAFilesystem Art.encryption 9(4)(d)only
AWS KMS (Phase 2)  
Key custodian documentationmigration
IKT-forskriftenFull §disk 5  Keyprivate inventorynetwork; tableno (§2)  
 Key rotation IKT-sikkerhetspolicy §6.3 Rotation schedule (§3.6)
Key destruction IKT-forskriften § 5 Destruction procedures (§3.8)
Access controls DORA Art. 9(4) Access controls (§6)
Crypto-shredding for GDPR erasure GDPR Art. 17 Key destruction triggers data erasure
5-year AML record retention Hvitvaskingsloven §30 Key retention aligned with data retention
Audit trail DORA Art. 10 Logging (§8)access




10. Emergency Procedures — Key Compromise
Immediate response checklist (execute within 1 hour of suspected compromise):

□ AlertActivate incident response — notify: Security Lead + CISO immediately:+ [email protected] / +47 40 47 42 51
□ Create incident channel: #incident-key-compromise-{DATE}CTO
□ Identify whichscope: key was compromised (JWT, database, API key)
□ Identify whatWhich data was accessible with compromised keykey?
□ RevokeAWS KMS: Disable compromised key immediately
□ For JWT_SECRET compromise: rotate immediately (seeall §3.7)sessions invalidated)
□ Generate replacement key
□ DeployRe-encrypt newall data protected by compromised key to all systems (zero-downtime rotation if possible)
□ For JWT: Revoke ALL active sessions (UPDATE sessions SET revoked=1)
□ For database key: Begin re-encryption of affectedRestricted data (Restricted first)
□ Audit logs:CloudTrail: What operationswas useddecrypted theusing compromised key in pastlast 30 days?
□ Assess breach notification requirement (see data-breach-response-plan.md §5)
   -> GDPR Art. 33 / Personopplysningsloven § 32: 72h to Datatilsynet
   -> Finanstilsynet notification if payment data affected
□ Document everything in incident log
□ Post-mortem within 48 hours

Re-encryption priority (if database key compromised):priority:

Foedselsnummer (drop-national-id-key) — Restricted (L4):, Fødselsnummer,highest AMLpriority
recordsKYC documents (drop-kyc-key) — IMMEDIATERestricted (L4)
ConfidentialDatabase backup files (L3): Transaction data, KYC recordsdrop-backup-key) — withinRestricted 4 hours(L4)
InternalDatabase master (L2): Logs, session datadrop-db-master-key) — withinPhase 24 hours2

Estimated impact of JWT compromise:


All active user sessions must be invalidated

All users must re-authenticate

Expected customer impact: temporary app disruption

Communication: In-app notification + email explaining security measures taken



Approval



Role
Name
Date
Signature




Author
ALAI Security TeamArchitect
2026-02-23



CISO
Alem Bašić




CTO
Alem Bašić




DPO (complianceGDPR relevance)
TBD — appointment required




Management
Alem Bašić

~~Requirement~~System	~~Standard~~Exception	~~Control~~Expiry	Compensating Controls
~~Encryption~~JWT ~~key~~signing ~~management~~(HS256 shared secret)	~~GDPR~~Shared-secret ~~Art.~~JWT 32instead of asymmetric RS256/EdDSA	~~This~~Phase ~~policy~~2 +migration	JWT_SECRET ~~implementation~~in AWS Secrets Manager; 24h session expiry; server-side revocation table
~~Cryptographic~~SQLite ~~key~~MVP ~~protection~~(no column-level TDE)	~~DORA~~Filesystem ~~Art.~~encryption ~~9(4)(d)~~only	~~AWS KMS (~~Phase 2)
~~Key custodian documentation~~migration	~~IKT-forskriften~~Full §disk 5	~~Key~~private ~~inventory~~network; ~~table~~no ~~(§2)~~
~~Key rotation~~	~~IKT-sikkerhetspolicy §6.3~~	~~Rotation schedule (§3.6)~~
~~Key destruction~~	~~IKT-forskriften § 5~~	~~Destruction procedures (§3.8)~~
~~Access controls~~	~~DORA Art. 9(4)~~	~~Access controls (§6)~~
~~Crypto-shredding for GDPR erasure~~	~~GDPR Art. 17~~	~~Key destruction triggers data erasure~~
~~5-year AML record retention~~	~~Hvitvaskingsloven §30~~	~~Key retention aligned with data retention~~
~~Audit trail~~	~~DORA Art. 10~~	~~Logging (§8)~~access

Role	Name	Date
Author	~~ALAI~~ Security ~~Team~~Architect	2026-02-23
CISO	~~Alem Bašić~~
CTO	~~Alem Bašić~~
DPO (~~compliance~~GDPR relevance)	~~TBD — appointment required~~
Management	~~Alem Bašić~~