Encryption at Rest
All data in QNSP Storage (port 8092) is encrypted at rest.
Encryption at Rest
All data in QNSP Storage (port 8092) is encrypted at rest.
Default Encryption
Every object is encrypted with:
- Algorithm: AES-256-GCM
- Key: Per-object DEK wrapped by tenant KEK
Encryption process
Upload
- Generate random DEK
- Encrypt object with DEK
- Wrap DEK with tenant KEK
- Store encrypted object + wrapped DEK
Download
- Retrieve wrapped DEK
- Unwrap DEK using tenant KEK
- Decrypt object with DEK
- Return plaintext to client
Key hierarchy
Tenant Master Key (TMK)
↓
Storage Key Encryption Key (KEK)
↓
Per-Object Data Encryption Key (DEK)
Encryption context
Objects encrypted with context binding:
{
"tenant": "tenant-id",
"bucket": "bucket-name",
"object": "object-key"
}
Context must match on decryption.
Key rotation
When storage KEK rotates:
- New objects use new KEK
- Existing objects re-encrypted on access (lazy)
- Bulk re-encryption available
Verification
Encryption verified via:
- Integrity tags (GCM authentication)
- Checksums in metadata
- Audit logging