Key Management Policy

~~Project /~~ Organization: ~~ALAI Holding AS~~Bilko — ~~Drop~~Balkan ~~Payment~~Accounting ~~App~~SaaS Policy Number: POL-SEC-KM-001 Version: 1.0 Date: 2026-02-23 Author: ~~Security Architect~~CTO Status: Draft Reviewers: ~~CISO,~~DPO, ~~CTO,~~Engineering ~~DPO~~ ~~Next Review:~~ ~~2027-02-23~~Lead Classification: Confidential — Restricted ~~Distribution~~

Document History

Version	Date	Author	Changes
0.1	2026-02-23	~~Security Architect~~CTO	Initial ~~draft — Drop~~ key management policy for ~~AWS KMS + Secrets Manager~~Bilko

1. Purpose & Scope

~~Purpose:~~ This policy defines the lifecycle management ~~requirements~~ for all cryptographic keys and secrets used by ~~ALAI~~Bilko. ~~Holding~~It AScovers ~~for the Drop payment app, including~~key generation, ~~distribution,~~ storage, ~~usage,~~ rotation, revocation, and destruction.

~~Regulatory basis:~~

Scope: All ~~cryptographic~~Bilko ~~keys~~production and ~~secrets~~staging inenvironments. ~~use~~All ~~across:~~personnel with access to Railway environment variables or Vaultwarden.

Field-level

~~Production,~~encryption ~~staging,~~scope: FIELD_ENCRYPTION_KEY and ~~development~~FIELD_HMAC_KEY ~~environments~~apply ~~for~~to ~~Drop~~

~~AWS infrastructure (KMS, Secrets Manager, S3, App Runner)~~

~~All employee~~JMBG and ~~contractor~~OIB ~~workstations~~fields ~~handling~~only. ~~Confidential~~PIB, orJIB, ~~Restricted~~and ~~data~~

IBAN

~~All~~are ~~third-party~~NOT ~~integrations~~subject ~~where~~to ~~ALAI~~field-level ~~Holding~~encryption ASper ~~holds~~ADR-014 ~~keys~~

~~Policy Owner:~~ ~~CISO~~§2 (~~[email protected])~~Tier ~~Operational~~2 ~~Owner:~~controls ~~Security~~— ~~team~~disk-level encryption only).

2. Key Inventory

2.1 Complete Key Taxonomy

~~Classification~~

Key ID	Key Type	~~Algorithm~~	Purpose	~~Data~~Storage	Rotation Period	Owner
`drop-national-id-key`JWT_PRIVATE_KEY	~~KEK~~RSA 2048-bit private key	~~AES-256-GCM~~JWT access token signing (RS256)	~~Foedselsnummer~~Railway ~~field~~secret ~~encryption~~(production)	~~Restricted (L4)~~Annual	~~Security team~~	~~AWS KMS (eu-north-1)~~CTO
`drop-db-master-key`JWT_PUBLIC_KEY	~~KEK~~RSA ~~(Database)~~2048-bit public key	~~AES-256~~JWT ~~XTS~~access token verification	~~PostgreSQL~~Railway ~~TDE~~secret ~~— Phase 2~~(production)	~~Restricted~~Annual (~~L4)~~with private)	~~Security team~~	~~AWS KMS (eu-north-1)~~CTO
`drop-kyc-key`REFRESH_TOKEN_SECRET	~~KEK~~64-byte ~~(Object)~~random hex	~~AES-256-GCM~~Refresh token HMAC signing	~~KYC~~Railway ~~document encryption (S3 SSE-KMS)~~secret	~~Restricted (L4)~~Annual	~~Security team~~	~~AWS KMS (eu-north-1)~~CTO
`drop-backup-key`FIELD_ENCRYPTION_KEY	~~KEK~~32-byte random hex (~~Backup)~~AES-256)	~~AES-256~~Field-level encryption of JMBG and OIB in Contacts table only	~~Database~~Railway ~~backup~~secret ~~encryption~~+ Vaultwarden	~~Restricted (L4)~~Annual	~~Security team~~	~~AWS KMS (eu-west-1) — separate region~~CTO
`JWT_SECRET`FIELD_HMAC_KEY	~~Signing~~32-byte ~~secret~~random hex	Org-scoped HMAC-~~SHA-256~~SHA256 for jmbg_hash + oib_hash columns	~~JWT~~Railway ~~session~~secret ~~token~~+ ~~signing (HS256)~~Vaultwarden	~~Confidential~~Annual (~~L3)~~with FIELD_ENCRYPTION_KEY)	~~Security team~~	~~AWS Secrets Manager~~CTO
`TLS-EXT`	~~TLS Certificate~~	~~ECDSA P-256~~	~~External HTTPS (getdrop.no)~~	—	~~Cloudflare / Let's Encrypt~~	~~Cloudflare managed~~
`BankID-cert`	~~TLS Certificate~~	~~RSA-2048~~	~~BankID Norway JWT signature verification~~	—	~~BankID Norge AS CA~~	~~BankID managed~~
`SUMSUB-API-KEY`	~~API Key~~	~~HMAC-SHA-256~~	~~Sumsub KYC API authentication~~	~~Confidential (L3)~~	~~Security team~~	~~AWS Secrets Manager~~
`DEK-*`	~~Data Encryption Keys~~	~~AES-256-GCM~~	~~Per-record envelope DEKs~~	~~Restricted (L4)~~	~~Application~~	~~Generated by AWS KMS~~ `GenerateDataKey`

2.2 Secrets Inventory (AWS Secrets Manager)

~~Secret Name~~	~~Purpose~~	~~Rotation~~
`JWT_SECRET`	~~JWT token signing~~	~~Quarterly~~
`SUMSUB_SECRET_KEY`	~~Sumsub KYC integration~~	~~Annual or on compromise~~
`BANKID_CLIENT_SECRET`	~~BankID OIDC client secret~~	~~Per BankID schedule~~
`DATABASE_URL`	PostgreSQL connection string with credentials	Database access	Railway secret	On DBcompromise ~~credential~~/ ~~rotation~~quarterly review	CTO
`SENTRY_DSN`SEF_API_KEY	~~Sentry~~API ~~error~~key ~~monitoring~~string	~~Annual~~Serbia SEF e-invoice portal (per org)	DB (encrypted) per org	Per SEF portal policy	Per organization
FINA_CERT	X.509 certificate + private key	HR-FISK e-invoice signing (FINA PKI)	DB (encrypted) per org	Per FINA PKI (1-3 years)	Per organization
SENTRY_DSN	DSN string	Error tracking	Railway secret / env var	On compromise	CTO

3. Key Hierarchy

AWSgraph KMSTD
    ROOT["Root ofSecrets\n(CTO Trustpersonal (eu-north-1Vaultwarden primaryvault)"]
    —RAILWAY["Railway Stockholm)Environment Secrets\n(production / staging / dev)"]
    ORG_SECRETS["Per-Organization Secrets\n(DB encrypted, L4 Restricted)\nSEF API keys, FINA certs"]
    APP["Application Runtime\n(keys loaded from env at startup)"]

    ROOT -->|"Provision"| +RAILWAY
    RAILWAY -->|"Load drop-national-id-at boot"| APP
    ROOT -->|"Rotation authority"| ORG_SECRETS
    ORG_SECRETS -->|"Decrypt on request"| APP

Principle: No key ~~(AES-256-GCM~~material —is ~~annual~~ever ~~rotation)~~committed |to ~~+--~~source ~~DEK-{user_id}-{timestamp}:~~code. ~~Per-record~~No ~~envelope~~key ~~DEKs~~is ~~| +-- Encrypts: foedselsnummer field~~stored in ~~users~~plaintext ~~table~~outside |Railway ~~+--~~secrets ~~Stored:~~or base64(encryptedDEK || iv || tag || ciphertext) | +-- drop-db-master-key (AES-256 XTS — annual rotation) | +-- Encrypts: PostgreSQL database at rest (Phase 2 — AWS RDS) | +-- drop-kyc-key (AES-256-GCM — annual rotation) | +-- Encrypts: KYC document objects in AWS S3 (SSE-KMS) | +-- AWS KMS Root of Trust (eu-west-1 — SEPARATE REGION) +-- drop-backup-key (AES-256 — annual rotation) +-- Encrypts: All database backup files AWS Secrets Manager (eu-north-1) +-- JWT_SECRET (HMAC-SHA-256 — quarterly rotation) | +-- Signs: Drop JWT session tokens (HS256 via jose ^6.1.3) +-- SUMSUB_SECRET_KEY (API key — annual) +-- BANKID_CLIENT_SECRET (OIDC client secret) +-- DATABASE_URL (connection string) Cloudflare / Let's Encrypt +-- TLS Certificate (ECDSA P-256 — 90-day automated rotation) +-- External HTTPS: getdrop.no BankID Norge AS CA +-- BankID Certificate (RSA-2048 — per BankID renewal schedule) +-- Used for: BankID JWT signature verification (Phase 2) Vaultwarden.

4. Key LifecycleGeneration Standards

4.1 Lifecycle Overview

flowchart LR
    GEN[Generation] -->|"AWS KMS CSPRNG"| DIST[Distribution]
    DIST -->|"Runtime API call\nnever in env files"| STORE[Storage]
    STORE -->|"KMS / Secrets Manager\naccess controlled"| USE[Usage]
    USE -->|"Scheduled"| ROT[Rotation]
    ROT -->|"New key active\noverlap period"| USE
    ROT -->|"Old key retired"| ARCH[Archive / Revoke]
    ARCH -->|"End of life"| DEST[Destruction]

    REVOKE[Emergency Revocation] -->|"Compromise detected"| DEST
    USE --> REVOKE

4.2 Generation

~~Entropy requirements:~~

~~All keys MUST be generated using AWS KMS or a CSPRNG~~

~~NEVER use user-supplied passphrases, timestamps, UUIDs, or predictable values as keys~~

~~NEVER generate keys in application code for Restricted data — use AWS KMS~~ GenerateKey or GenerateDataKey

~~Approved key generation methods:~~

Key Type	Generation Method	~~Tool~~Entropy Requirements
~~Symmetric~~RSA (~~AES-256) KMS keys~~JWT)	~~KMS~~`openssl CreateKeygenrsa 2048 API`	~~AWS~~2048-bit ~~KMS (FIPS 140-2 Level 3 HSMs)~~minimum
~~Envelope~~Symmetric ~~DEKs~~(AES-256)	~~KMS~~`openssl GenerateDataKeyrand -hex 32 API`	~~AWS~~256 ~~KMS~~bits (32 bytes)
~~JWT~~HMAC ~~signing secret~~key	`crypto.randomBytes(32).toString('hex')openssl rand -hex 32`	~~Node.js~~256 ~~CSPRNG~~bits
~~TLS~~Refresh ~~certificates~~token secret	~~ACME~~`openssl protocolrand -hex 64`	~~Cloudflare~~512 ~~/ Let's Encrypt~~bits
~~BankID~~API ~~certificates~~keys (external)	~~BankID~~Generated ~~Norge~~by ASexternal CAportal (SEF/FINA)	~~External~~Per CAexternal system

~~Generation environment:~~Commands:

# Generate JWT key pair
openssl genrsa -out jwt_private.pem 2048
openssl rsa -in jwt_private.pem -pubout -out jwt_public.pem

# Generate AES-256 field encryption key
openssl rand -hex 32

# Generate HMAC key
openssl rand -hex 32

All generated keys must be imported to Railway and Vaultwarden within 1 hour. Local files deleted securely after import.

5. Key Storage

Production Keys (Railway)

All ~~KMS-managed~~production keys stored as Railway environment variables

Railway EU West region — encrypted at rest by Railway (AES-256)

Access: CTO + one designated backup (CEO) only

Two-factor authentication mandatory for ~~Restricted~~Railway ~~data:~~account

~~generated~~

Railway ~~within~~account ~~AWS~~uses ~~KMS~~ALAI ~~HSMs~~SSO / strong password (≥20 chars, in Vaultwarden)

Staging/Dev Keys

Separate Railway project (staging) — different keys from production

Dev: .env.local files excluded from git via .gitignore

Dev keys may use weaker entropy but must still be valid format

Vaultwarden (Backup & Documentation)

URL: https://vault.basicconsulting.no

Stores: production key material ~~never~~as ~~leaves~~secure ~~AWS~~notes (encrypted)
~~JWT_SECRET:~~Access: ~~generated~~CTO ~~using~~+ crypto.randomBytes(32)CEO ~~then~~(break-glass ~~stored~~access)

Purpose: Recovery if Railway secrets are lost; rotation documentation

Per-Organization Secrets (SEF API Keys, FINA Certificates)

Stored in ~~AWS~~PostgreSQL ~~Secrets~~OrganizationSecret ~~Manager~~table
~~All~~Value ~~key~~encrypted ~~generation~~with ~~events~~FIELD_ENCRYPTION_KEY ~~logged~~before instorage

~~AWS~~

Decrypted ~~CloudTrail~~in-memory only when needed for API call

FINA private keys additionally protected with password (stored separately)

6. Key Rotation Procedures

4.36.1 DistributionAnnual Rotation (Standard)

~~Principles:~~Schedule: First Monday of each calendar year.

~~NEVER transmit keys in plaintext over any channel~~

~~NEVER include keys in source code,~~ .env ~~files committed to Git, or log output~~

~~NEVER send keys via email, Slack, or any messaging platform~~

~~Always fetch secrets at application runtime from AWS Secrets Manager or KMS API~~

~~Distribution~~FIELD_ENCRYPTION_KEY ~~methods:~~

most

~~Scenario~~	~~Method~~	~~Notes~~
~~Application runtime secrets~~rotation (~~JWT_SECRET)~~	~~AWS~~sensitive ~~Secrets~~— ~~Manager~~requires ~~API at startup~~	~~Fatal error if JWT_SECRET missing~~
~~Envelope DEK generation~~	~~AWS KMS~~ `GenerateDataKey` ~~per encryption operation~~	~~Key material decrypted in memory only~~
~~Developer access~~	~~AWS IAM role + MFA~~	~~Least privilege~~
~~CI/CD pipeline secrets~~	~~GitHub Actions encrypted secrets (scoped)~~	~~Rotated per project~~

4.4 Storage

~~Storage hierarchy for Drop:~~re-encryption):

Level1. 1Generate —new AWS KMS HSMsFIELD_ENCRYPTION_KEY (FIPSopenssl 140-2rand Level-hex 3)32)
+--2. drop-national-id-Deploy a migration job that:
   a. Reads each encrypted field with old key
   (foedselsnummerb. encryption)Decrypts
   +--c. drop-db-master-Re-encrypts with new key
   (databased. TDEWrites — Phase 2)
  +-- drop-kyc-key (KYC document S3 encryption)
  +-- drop-backup-key (backup encryption — eu-west-1)

Level 2 — AWS Secrets Manager
  +-- JWT_SECRET (HMAC signing key)
  +-- SUMSUB_SECRET_KEY (API key)
  +-- BANKID_CLIENT_SECRET (OIDC secret)
  +-- DATABASE_URL (connection string)

Level 3 — Application memory (ephemeral only)
  +-- Decrypted DEK during active encryption/decryption
  +-- JWT_SECRET during token signing/verification
  NOTE: NEVER persist Level 3back to diskDB
3. Migration must be atomic per record (read old → write new in transaction)
4. Only after 100% migration: update Railway secret to new key
5. Delete old key from Vaultwarden (add to archive note with date)
6. Test: attempt decryption with both old (should fail) and new (should succeed) keys

~~Prohibited~~JWT ~~storage~~key ~~locations:~~pair rotation (zero-downtime):

1. SourceGenerate codenew orRSA configkey filespair
2. Add new public key to JWKS endpoint alongside old (support both during rotation window)
3. Begin issuing new tokens signed with new private key
4. Wait for all old tokens to expire (15 minutes max)
5. Remove old public key from JWKS
6. Update JWT_PRIVATE_KEY and JWT_PUBLIC_KEY in GitRailway
7. Invalidate all refresh tokens (users will re-login)

6.2 Emergency Rotation (On Compromise)

If a key is suspected compromised:

Immediately invalidate: all user sessions (clear RefreshToken table)
~~Application~~Generate ~~logs~~new orkey ~~error~~within ~~messages~~15 ~~(Sentry, BetterStack)~~minutes
~~Unencrypted~~Update ~~database~~Railway ~~columns~~secret
~~Email~~Deploy ~~attachments~~new orapplication ~~Slack~~instance ~~messages~~(Railway auto-deploys on env var change)
~~Browser~~Document ~~localStorage~~in orVaultwarden: ~~sessionStorage~~old key, date of compromise, date of rotation
~~Container~~Assess ~~image~~whether ~~layers~~breach notification is required (see data-breach-response-plan.md)

6.3 FINA Certificate (HR-FISK) Rotation

FINA X.509 certificates for HR-FISK e-invoicing have a defined validity period (1-3 years per FINA PKI).

1. FINA certificate expiry alert fires 60 days before expiry
2. Organization admin is notified to renew via FINA portal
3. New certificate uploaded through Bilko settings → HR eRačun → Certificate
4. Old certificate archived (not deleted — needed to verify past submissions)
5. Test: submit a test e-invoice via HR-FISK test environment with new certificate

4.5

7. Usage

Key

Access ~~control principles:~~

~~Principle~~	~~Implementation~~
~~Least privilege~~	~~KMS key policies: encrypt-only for application, decrypt-only for compliance function~~
~~Separation of duties~~	~~key-admin cannot perform decryption; application service cannot create keys~~
~~Key purpose binding~~	`drop-national-id-key` ~~used only for national ID encryption~~
~~Audit all access~~	~~Every KMS operation logged in AWS CloudTrail~~
~~Time-bound access~~	~~IAM role assumption with time-bound session tokens~~

~~KMS key policy roles:~~

~~IAM Role~~	~~Permissions~~	~~MFA Required~~
`drop-key-admin`	~~CreateKey, ScheduleKeyDeletion, RotateKey — NO Decrypt~~	~~YES~~
`drop-app-encrypt`	`kms:Encrypt`, `kms:GenerateDataKey`	~~No (service account)~~
`drop-compliance-decrypt`	`kms:Decrypt` ~~for~~ `drop-national-id-key` ~~only~~	~~YES~~
`drop-key-auditor`	`kms:ListKeys`, `kms:DescribeKey`~~, CloudTrail read~~	~~YES~~
`drop-app-runner`	`kms:GenerateDataKey`, `kms:Decrypt` ~~(scoped per key)~~	~~No (IAM role)~~

4.6 Rotation Schedule

Control loaded in viewRailwayAPIorg

Key	~~Rotation~~Who ~~Period~~Can Access	~~Method~~	~~Owner~~	~~Alert if Overdue~~How
`drop-national-id-key`JWT_PRIVATE_KEY	~~Annual~~Application only (Railway env)	~~AWS~~Never ~~KMS~~exposed ~~automatic~~via ~~key~~API; ~~rotation~~	~~Security~~at ~~team~~	~~Yes — 7 days overdue~~startup
`drop-db-master-key`FIELD_ENCRYPTION_KEY	~~Annual~~Application only	~~AWS~~Never ~~KMS~~logged; ~~automatic~~never ~~key~~returned ~~rotation~~	~~Security~~API ~~team~~	~~Yes — 7 days overdue~~response
`drop-kyc-key`DATABASE_URL	~~Annual~~Application + CTO	~~AWS~~Railway ~~KMS~~secret; ~~automatic~~CTO ~~key~~can ~~rotation~~	~~Security~~in ~~team~~	~~Yes — 7 days overdue~~dashboard
`drop-backup-key`SEF API keys	~~Annual~~Application + org owner	~~Manual~~Decrypted +only ~~AWS~~for ~~KMS~~SEF ~~rotation~~	~~Security~~calls; ~~team~~	~~Yes~~owner —can 7rotate ~~days~~via ~~overdue~~settings
`JWT_SECRET`FINA certificates	~~Quarterly~~Application + org owner	~~Manual~~Decrypted —only ~~generate~~for ~~new,~~HR-FISK ~~deploy, rotate~~	~~Security team~~	~~Yes — 3 days overdue~~
~~TLS certificate (getdrop.no)~~	~~90 days~~	~~Automated (Cloudflare / Let's Encrypt)~~	~~Platform~~	~~Yes — 14 days before expiry~~
~~BankID certificate~~	~~Per BankID schedule~~	~~Manual — BankID renewal process~~	~~Security team~~	~~Calendar reminder~~
`SUMSUB_SECRET_KEY`	~~Annual or on compromise~~	~~Manual via Sumsub dashboard~~	~~Security team~~	~~Yes — 7 days overdue~~submissions

~~JWT_SECRET~~Access ~~rotation~~log: ~~overlap~~All ~~procedure:~~

~~Generate new~~ JWT_SECRET ~~value~~

~~Deploy new~~Railway secret toviews ~~AWS Secrets Manager~~

~~Rolling deploy of Drop app (picks up new secret)~~

~~Wait for all existing sessions to expire (max 24h — JWT expiry)~~

~~All sessions issued with old secret are now invalid — users re-authenticate~~

~~Delete old secret version from Secrets Manager~~

~~AWS KMS automatic rotation:~~ ~~AWS KMS generates new key material annually while retaining all prior versions for decryption of existing ciphertext.~~

4.7 Revocation Procedures

~~Trigger conditions for immediate revocation:~~

~~Known or suspected key compromise (key material logged, unauthorized access)~~

~~Employee departure with key management IAM role access~~

~~System compromise where key was~~logged in ~~use~~

Railway

~~Detection~~audit oftrail. ~~unauthorized~~Any ~~decryption~~access inoutside ~~CloudTrail~~normal ~~logs~~

deployment

~~Emergency revocation procedure (target: < 1 hour):~~

Step 1: Alert Security Lead via #security-incident Slack channel
Step 2: Identify scope — which data was accessible with compromised key?
Step 3: AWS KMS: Disable compromised key (prevents new encrypt/decrypt)
Step 4: Generate replacement key via KMS CreateKey
Step 5: Re-encrypt all data protectedreviewed by compromised key (Restricted first)
Step 6: Update KMS key references in application configuration
Step 7: Deploy updated configuration
Step 8: Verify all systems using new key
Step 9: Audit CloudTrail: What decrypt operations used compromised key in last 30 days?
Step 10: Assess breach notification requirement (data-breach-response-plan.md §5)
         -> GDPR Art. 33 / Personopplysningsloven § 32: 72h to Datatilsynet if personal data affected
         -> Finanstilsynet notification if payment data affected
Step 11: Document in incident log
Step 12: Post-mortem within 48 hours

~~JWT_SECRET emergency rotation (session compromise):~~

Step 1: Generate new JWT_SECRET immediately
Step 2: Deploy to AWS Secrets Manager
Step 3: Rolling deploy Drop application — all in-flight sessions invalidated
Step 4: All users must re-authenticate
Step 5: Document in incident log

4.8 Destruction

~~When destruction is required:~~

~~Key rotated out and overlap period expired~~

~~Crypto-shredding: deleting user foedselsnummer by destroying envelope DEK (GDPR Art. 17)~~

~~System decommissioned~~

~~Destruction methods:~~

~~Key Location~~	~~Destruction Method~~	~~Verification~~
~~AWS KMS key~~	`ScheduleKeyDeletion` ~~(7-30 day waiting period)~~	~~KMS + CloudTrail audit log~~
~~AWS Secrets Manager~~	`DeleteSecret` ~~(7-30 day waiting period)~~	~~Secrets Manager audit log~~
~~Envelope DEK in database~~	~~Delete encrypted DEK field~~	~~Verify decryption fails~~

~~Crypto-shredding for GDPR erasure (Art. 17):~~ ~~When a user requests account deletion:~~

~~The envelope DEK for that user's foedselsnummer is deleted from the database~~

~~The ciphertext (foedselsnummer) becomes permanently unreadable~~

~~AML retention: transaction records retained 5 years per Hvitvaskingsloven § 30~~

5. Key Management System

~~Primary KMS:~~ ~~AWS KMS (eu-north-1 — Stockholm region)~~ ~~Backup KMS:~~ ~~AWS KMS (eu-west-1 — Ireland) for~~ drop-backup-key ~~only — separate region for disaster recovery~~ ~~Secrets management:~~ ~~AWS Secrets Manager (eu-north-1)~~

6. Access Controls for Key Operations

~~Operation~~	~~Required Roles~~	~~Approval Process~~
~~Create new KMS key~~	`drop-key-admin` ~~+ CISO approval~~	~~AWS IAM + ticket~~
~~Rotate KMS key (manual)~~	`drop-key-admin` ~~(proposer) + CISO (approver)~~	~~Dual approval~~
~~Emergency key disable~~	~~Security Lead (any one)~~	~~Single — immediate incident ticket~~
~~Schedule key deletion~~	`drop-key-admin` ~~+ CISO~~	~~Dual approval — minimum 7-day waiting period~~
~~Grant new service access~~	~~Security Lead + system owner~~	~~IAM PR review + approval~~
~~Rotate JWT_SECRET~~	~~Security Lead~~	~~Single — with deployment coordination~~

7. Foedselsnummer Field Encryption — Implementation Pattern

~~Key:~~ drop-national-id-key ~~(AWS KMS — separate from database master key)~~ ~~Stored:~~ ~~Only AES-256-GCM ciphertext — never plaintext foedselsnummer in database~~ ~~Source:~~ src/drop-app/src/lib/encrypt.ts ~~(Phase 2 implementation)~~

// Envelope encryption for foedselsnummer
// Key: drop-national-id-key (AWS KMS)
// Stored: base64(encryptedDEK || iv || tag || ciphertext)

async function encryptNationalId(fodselsnummer: string): Promise<string> {
    const iv = crypto.randomBytes(12);  // 96-bit random IV — never reused
    const dek = await kmsClient.generateDataKey({
        KeyId: process.env.NATIONAL_ID_KEY_ARN,
        KeySpec: 'AES_256'
    });
    const cipher = crypto.createCipheriv('aes-256-gcm', dek.Plaintext, iv);
    const ciphertext = Buffer.concat([cipher.update(fodselsnummer, 'utf8'), cipher.final()]);
    const tag = cipher.getAuthTag();
    dek.Plaintext.fill(0);  // Zero DEK plaintext from memory after use
    // Return: base64(encryptedDEK || iv || tag || ciphertext)
    return Buffer.concat([dek.CiphertextBlob, iv, tag, ciphertext]).toString('base64');
}

~~Access restriction:~~ ~~Only the Compliance function has IAM access to~~ drop-compliance-decrypt ~~role. Application code cannot decrypt foedselsnummer except during explicit compliance workflows.~~CTO.

8. AuditEscrow Logging& forRecovery

~~Key~~

FIELD_ENCRYPTION_KEY Operations

Escrow (Critical)

The FIELD_ENCRYPTION_KEY is the most critical key — loss means permanent loss of all L4 Restricted field data (tax IDs, IBAN).

~~All~~Escrow ~~key operations logged in AWS CloudTrail, including:~~procedure:

~~Key~~FIELD_ENCRYPTION_KEY ~~creation~~stored ~~(actor,~~in ~~key~~Vaultwarden ~~ID,~~secure ~~key~~note ~~type,~~accessible ~~timestamp)~~to: CTO, CEO
~~Encryption/decryption~~Vaultwarden has its own backup (~~actor,~~see ~~key~~system ~~ID,~~infrastructure ~~context, timestamp)~~docs)
Key material noted with: creation date, rotation ~~(actor,~~date, ~~old key version, new key version, timestamp)~~

~~Key disabling / deletion scheduling (actor, key ID, reason, timestamp)~~

~~Failed access attempts (actor, key ID, reason, timestamp)~~description

~~Log~~If ~~destination:~~FIELD_ENCRYPTION_KEY is lost and not recoverable: ~~AWS~~All ~~CloudTrail~~encrypted →field S3data ~~(immutable,~~is ~~append-only)~~permanently +unreadable. ~~BetterStack~~This ~~aggregation~~is ~~Log~~a ~~retention:~~catastrophic 5data ~~years~~loss ~~(AML~~event. ~~compliance~~Contact —legal ~~Hvitvaskingsloven~~counsel §and ~~30)~~affected ~~Alert~~supervisory ~~on:~~authorities.

Railway Account Recovery

~~Decrypt~~Railway ~~operations~~root byaccount: ~~unexpected~~[email protected] ~~IAM~~(password ~~role~~in Vaultwarden)
~~Failed~~2FA ~~KMS~~recovery ~~access~~codes: ~~attempts~~Vaultwarden >secure ~~3 in 5 minutes~~note
~~Off-hours~~Designated backup access: CEO has view access to drop-national-id-key or drop-kyc-key

~~Any~~ ScheduleKeyDeletion ~~event~~Railway (~~immediate alert)~~read-only)

9. ExceptionKey ProcessDestruction

~~Exceptions~~When ~~not~~a ~~permitted~~key ~~for:~~is ~~Restricted~~retired (~~L4)~~superseded ~~data~~by rotation):

Remove from Railway environment variables

Remove from active Vaultwarden entries

Archive to Vaultwarden secure note: "Retired Keys" with date and reason

Old FIELD_ENCRYPTION_KEY versions: retained for 3 months after rotation (~~foedselsnummer,~~in ~~KYC~~case ~~documents)~~rollback —needed), nothen ~~exceptions~~permanently deleted from Vaultwarden

10. Securion Sign-off Requirement

No changes to FIELD_ENCRYPTION_KEY, FIELD_HMAC_KEY, or field-level ~~encryption.~~encryption implementation may be deployed to production without written approval from Parisa Tabriz (Securion).

~~Exception request process:~~Process:

~~Submit~~All ~~request~~field ~~to:~~encryption ~~[email protected]~~code changes must complete Securion security review
~~Required:~~Review ~~system,~~conducted ~~data~~against ~~classification,~~checklist: ~~key being excepted, business justification, risk assessment, compensating controls, duration (max 12 months)~~docs/security/FieldEncryptionSecurionChecklist.md
~~Approval:~~Sign-off ~~CISO~~evidence file required before mc.js done on any field encryption task
~~Logged~~Evidence file stored in: ~~compliance register~~

~~Review: Quarterly — exceptions~~ docs/security/securion-approvals/YYYY-MM-DD-<task-id> 12 months require board-level approval.md

~~Active~~Scope: ~~exceptions:~~This requirement applies to:

Initial

~~System~~	~~Exception~~	~~Expiry~~	~~Compensating Controls~~
~~JWT signing (HS256 shared secret)~~	~~Shared-secret JWT instead of asymmetric RS256/EdDSA~~	~~Phase 2 migration~~	~~JWT_SECRET in AWS Secrets Manager; 24h session expiry; server-side revocation table~~
~~SQLite MVP (no column-level TDE)~~	~~Filesystem~~field encryption ~~only~~	~~Phase 2 migration~~	~~Full disk encryption; private network; no public DB access~~

10. Emergency Procedures — Key Compromise

Immediate response checklistimplementation (executeMC within#9966)
1Any hour of suspected compromise):

□ Activate incident response — notify: Security Lead + CISO + CTO
□ Identify scope: Which data was accessible with compromised key?
□ AWS KMS: Disable compromised key immediately
□ For JWT_SECRET compromise: rotate immediately (all sessions invalidated)
□ Generate replacement key
□ Re-encrypt all data protected by compromised key (Restricted data first)
□ Audit CloudTrail: What was decrypted using compromised key in last 30 days?
□ Assess breach notification requirement (data-breach-response-plan.md §5)
   -> GDPR Art. 33 / Personopplysningsloven § 32: 72hchanges to DatatilsynetFieldEncryption.kt, ->FieldHmac.kt, Finanstilsynet notification if payment data affected
□ Document everything in incident log
□ Post-mortem within 48 hours

~~Re-encryption priority:~~

~~Foedselsnummer (~~drop-national-id-key~~) — Restricted (L4), highest priority~~

~~KYC documents (~~drop-kyc-key~~) — Restricted (L4)~~FieldEncryptionRotationScript.kt
Database ~~backup~~migration ~~files~~changes (drop-backup-key)affecting —jmbg, ~~Restricted~~oib, ~~(L4)~~jmbg_hash, oib_hash columns
~~Database~~Key ~~master~~rotation procedures

Addition of new encrypted fields

Exemptions: Changes to non-cryptographic code (drop-db-master-key)UI —masking, ~~Phase~~API 2response

filtering) do not require Securion sign-off but must still undergo Proveo QA review.

Approval

~~Architect~~

Role	Name	~~Signature~~Date
Author	~~Security~~CTO	2026-02-23
~~CISO~~Reviewer (DPO)
~~CTO~~Reviewer (Engineering Lead)
~~DPO (GDPR relevance)~~Approver
~~Management~~	CEO