Skip to main content
AC

Acme Cloud

EthicPages logoVisit EthicPages

Encryption Standards

Last updated: January 15, 2026

Encryption Standards

Document owner: Chief Information Security Officer (CISO) Version: 3.0 Effective date: January 1, 2026 Last updated: January 15, 2026 Classification: Public — Trust Center Review cadence: Annual, and upon NIST/CISA cryptographic guidance updates or material technology changes Company: Acme Cloud, Inc. Address: 1200 Market Street, Suite 400, San Francisco, CA 94103, USA Primary contacts: trust@acmecloud.com | security@acmecloud.com | privacy@acmecloud.com

Definitions

TermDefinition
AESAdvanced Encryption Standard, symmetric block cipher
Asymmetric EncryptionEncryption using public/private key pairs
Block CipherEncryption algorithm operating on fixed-size data blocks
CBCCipher Block Chaining, block cipher mode of operation
Certificate Authority (CA)Entity issuing digital certificates
CMKCustomer Master Key, top-level key in AWS KMS hierarchy
Cryptographic AgilityAbility to switch cryptographic algorithms without major system changes
Data Encryption Key (DEK)Symmetric key encrypting data directly
Digital CertificateElectronic document binding public key to identity
ECDSAElliptic Curve Digital Signature Algorithm
Ed25519Edwards-curve Digital Signature Algorithm using Curve25519
Envelope EncryptionPattern using DEK encrypted by KEK
FIPS 140-2/3Federal Information Processing Standard for cryptographic modules
GCMGalois/Counter Mode, authenticated encryption mode
HKDFHMAC-based Key Derivation Function
HMACHash-based Message Authentication Code
HSMHardware Security Module, physical device for key protection
HSTSHTTP Strict Transport Security
KEKKey Encryption Key, key that encrypts other keys
Key RotationProcess of retiring and replacing cryptographic keys
KMSKey Management Service, system for managing encryption keys
mTLSMutual TLS, bidirectional certificate authentication
NISTNational Institute of Standards and Technology
OCSPOnline Certificate Status Protocol
Perfect Forward Secrecy (PFS)Property ensuring session keys cannot be compromised by long-term key compromise
PKIPublic Key Infrastructure, framework for managing digital certificates
Post-Quantum Cryptography (PQC)Cryptographic algorithms resistant to quantum computer attacks
RSARivest-Shamir-Adleman, asymmetric encryption algorithm
SaltRandom data added before hashing to prevent rainbow table attacks
SHASecure Hash Algorithm family
Symmetric EncryptionEncryption using same key for encryption and decryption
TDETransparent Data Encryption, database-level encryption
TLSTransport Layer Security, protocol for encrypted network communication
X.509Standard for public key certificates

Scope and Applicability

1.1 Document Scope

This Encryption Standards document defines cryptographic requirements for all Acme Cloud, Inc. ("Acme Cloud") systems processing, storing, or transmitting information. Standards align with:

Standard/FrameworkAlignment
NIST SP 800-57Key management recommendations
NIST SP 800-131ACryptographic algorithm transitions
NIST SP 800-175BCryptographic standards selection
SOC 2 CC6.7Encryption controls
ISO 27001 Annex A.10Cryptographic controls
HIPAA §164.312Technical safeguards (encryption)
GDPR Article 32Security of processing
PCI DSS Requirement 3-4Cardholder data protection

1.2 System Scope

System CategoryEncryption ScopeKey Management
Production SaaS PlatformFull encryption requirementsAWS KMS
Production DatabasesAt-rest and in-transit encryptionAWS KMS CMK
Staging EnvironmentsSame as production (with customer data)AWS KMS
Development EnvironmentsTLS for communicationStandard TLS
Corporate SystemsDisk encryption, TLSEndpoint + cloud
Backup SystemsAt-rest encryptionSeparate KMS keys
DR SystemsSame as productionCross-region KMS

1.3 Data Classification and Encryption Requirements

ClassificationAt RestIn TransitApplication LayerKey Management
PublicOptionalTLS 1.2+Not requiredStandard
InternalAES-256 recommendedTLS 1.2+Not requiredAWS KMS
ConfidentialAES-256 requiredTLS 1.2+ requiredRecommended for sensitive fieldsAWS KMS CMK
RestrictedAES-256 + field-levelTLS 1.3 preferredRequiredCMK or customer-managed

Cryptographic Algorithm Standards

2.1 Symmetric Encryption Algorithms

AlgorithmModeKey SizeApproved UseProhibited UseSunset
AES-256GCM256-bitAll encryption at rest, field-level encryptionECB modeActive
AES-256CBC + HMAC-SHA256256-bitLegacy migration onlyNew implementations2027
AES-128GCM128-bitLow-sensitivity transient data onlyDatabase encryption, sensitive dataActive (limited)
ChaCha20-Poly1305N/A256-bitMobile SDK, streaming encryptionServer-side database encryptionActive
3DESAnyAnyProhibitedAll useSunset 2023
DESAnyAnyProhibitedAll useSunset 2000
RC4N/AAnyProhibitedAll useSunset 2015
BlowfishAnyAnyProhibitedAll useSunset 2010

2.2 Asymmetric Encryption Algorithms

AlgorithmKey SizeApproved UseProhibited UseSunset
RSA4096-bitLegacy certificate migration, key exchangeNew PKI, code signing2027
RSA2048-bitProhibited for new useAll new use2025
RSA< 2048-bitProhibitedAll useSunset
ECDSAP-384 (secp384r1)Code signing, internal PKI, API signingN/AActive
ECDSAP-256 (secp256r1)TLS certificates, standard useHigh-security applicationsActive
Ed25519256-bitSSH keys, service authentication, signaturesN/AActive
X25519256-bitKey exchange (TLS 1.3)N/AActive

2.3 Hashing Algorithms

AlgorithmApproved UseProhibited UseNotes
SHA-256General hashing, HMAC, integrityPassword hashing aloneStandard choice
SHA-384High-security hashing, code signingN/AWhen SHA-256 insufficient
SHA-512High-security hashingN/AAlternative to SHA-384
SHA-1Prohibited for securityAll security purposesLegacy compatibility only
MD5ProhibitedAll security purposesChecksums only (non-security)
BLAKE2bContent addressing, high-performanceN/AApproved for specific use cases
BLAKE3High-performance hashingN/AApproved for specific use cases

2.4 Password Hashing Algorithms

AlgorithmParametersApproved UseNotes
Argon2idMemory: 64MB, Iterations: 3, Parallelism: 4New password storagePreferred
bcryptCost factor: 12 minimumLegacy password storageMigration to Argon2id
scryptN: 32768, r: 8, p: 1Alternative to Argon2idApproved
PBKDF2310,000 iterations (SHA-256)Legacy systems onlyMigrate to Argon2id
SHA-1/MD5AnyProhibitedImmediate migration required
PlaintextN/AProhibitedSecurity incident if discovered

2.5 Key Derivation Functions

FunctionParametersApproved Use
HKDF (RFC 5869)SHA-256 or SHA-384Deriving keys from shared secrets
Argon2idAs specified abovePassword-based key derivation
PBKDF2310,000 iterations minimumLegacy key derivation
scryptAs specified abovePassword-based key derivation

Transport Layer Security

3.1 TLS Version Requirements

Protocol VersionStatusUse CaseConfiguration
TLS 1.3PreferredAll new connections, public endpointsPrimary
TLS 1.2ApprovedBackward compatibilityWith approved cipher suites only
TLS 1.1ProhibitedN/ABlocked at load balancer
TLS 1.0ProhibitedN/ABlocked at load balancer
SSL 3.0ProhibitedN/ABlocked
SSL 2.0ProhibitedN/ABlocked

3.2 Approved TLS Cipher Suites

TLS 1.3 Cipher Suites (Preferred):

Cipher SuiteKey ExchangeEncryptionHashStatus
TLS_AES_256_GCM_SHA384ECDHE/DHEAES-256-GCMSHA-384Preferred
TLS_CHACHA20_POLY1305_SHA256ECDHE/DHEChaCha20-Poly1305SHA-256Approved
TLS_AES_128_GCM_SHA256ECDHE/DHEAES-128-GCMSHA-256Approved

TLS 1.2 Cipher Suites (Approved for compatibility):

Cipher SuiteKey ExchangeEncryptionHashStatus
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ECDHE-RSAAES-256-GCMSHA-384Approved
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384ECDHE-ECDSAAES-256-GCMSHA-384Approved
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256ECDHE-RSAAES-128-GCMSHA-256Approved
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256ECDHE-ECDSAAES-128-GCMSHA-256Approved
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256ECDHE-RSAChaCha20-Poly1305SHA-256Approved

Prohibited Cipher Suites:

CategoryExamplesReason
Non-PFSRSA key exchangeNo forward secrecy
CBC modeCBC ciphersVulnerable to padding attacks
Export ciphersEXPORTWeak encryption
NULL ciphersNULLNo encryption
AnonymousanonNo authentication
RC4RC4Broken algorithm
DES/3DESDES, 3DESWeak/deprecated

3.3 Certificate Requirements

Certificate TypeKey AlgorithmKey SizeValidityCA Requirement
Public TLS (customer-facing)ECDSA P-256 or RSAP-256 or 2048+ RSA1 year maximumPublic CA (ACM)
Internal mTLSECDSA P-384P-3841 yearInternal PKI
Code signingECDSA P-384P-3842 yearsInternal PKI
API signingEd25519256-bit1 yearInternal PKI

3.4 HTTP Security Headers

HeaderValuePurpose
Strict-Transport-Securitymax-age=31536000; includeSubDomains; preloadForce HTTPS
Content-Security-Policyscript-src 'self'; ...Prevent XSS
X-Content-Type-OptionsnosniffPrevent MIME sniffing
X-Frame-OptionsDENYPrevent clickjacking
Referrer-Policystrict-origin-when-cross-originControl referrer

Encryption at Rest

4.1 Database Encryption

DatabaseEncryption MethodAlgorithmKey ManagementVerification
Amazon RDS (PostgreSQL)Storage encryption (TDE)AES-256AWS KMS CMKAWS Config rule
Field-level (sensitive)Application encryptionAES-256-GCMTenant-specific DEKsApplication audit
BackupsBackup encryptionAES-256Separate backup CMKBackup policy

Field-Level Encryption Implementation:

Data TypeEncryption RequiredDEK ScopeExamples
SSN/Tax IDRequiredPer-tenantSocial Security Number
Payment tokensRequiredPer-tenantStripe tokens
PHI fieldsRequired (BAA customers)Per-tenantMedical record numbers
API secretsRequiredPer-tenantIntegration credentials
PII (configurable)Customer-configurablePer-tenantEmail, phone

4.2 Object Storage Encryption

Storage TypeEncryption MethodAlgorithmKeyVerification
Amazon S3SSE-KMSAES-256Per-bucket CMKBucket policy
S3 (backups)SSE-KMSAES-256Dedicated backup CMKBackup policy
S3 (logs)SSE-KMSAES-256Logging CMKLog configuration

S3 Bucket Policy Requirements:

RequirementImplementationEnforcement
Encryption requiredDeny unencrypted uploadsBucket policy
TLS requiredDeny HTTP requestsBucket policy
Versioning enabledObject versioningBucket configuration
Access loggingS3 access logsBucket configuration

4.3 Block Storage Encryption

Storage TypeEncryption MethodAlgorithmKeyVerification
Amazon EBSEBS encryptionAES-256AWS managed or CMKLaunch template
Instance storageEBS encryptionAES-256AWS managedAMI configuration
Root volumesEBS encryptionAES-256AWS managedLaunch template

4.4 Endpoint Encryption

PlatformEncryption MethodAlgorithmKey ManagementVerification
macOSFileVault 2AES-256-XTSDevice TPM + MDM escrowMDM compliance
WindowsBitLockerAES-256Device TPM + MDM escrowMDM compliance
LinuxLUKSAES-256-XTSDevice passphraseDevice policy
Mobile (iOS)iOS encryptionAES-256Secure EnclaveMDM compliance
Mobile (Android)File-based encryptionAES-256Device keyMDM compliance

Key Management

5.1 Key Management Architecture

Acme Cloud uses AWS Key Management Service (KMS) as the primary key management platform with the following hierarchy:

Key LevelDescriptionStorageRotation
Root keysAWS KMS CMKsAWS HSM (FIPS 140-2 Level 3)Annual automatic
Key Encryption Keys (KEKs)CMKs for encrypting DEKsAWS KMSAnnual automatic
Data Encryption Keys (DEKs)Keys encrypting data directlyEncrypted by KEKPer-operation or periodic
Session keysTLS session keysMemory onlyPer-session

5.2 Key Lifecycle Management

PhaseRequirementsImplementationVerification
GenerationCryptographically secure randomAWS KMS GenerateDataKeyKMS API audit
DistributionNever transmit plaintextEnvelope encryptionArchitecture review
StorageHardware-protected, access-controlledAWS KMS, HSM-backedKMS configuration
UseLeast privilege, audit loggingIAM policies, CloudTrailAccess reviews
RotationScheduled, documentedAutomatic KMS rotationRotation logs
ArchivalEncrypted, access-controlledN/A (KMS handles)N/A
DestructionCryptographic erasure, 7-30 day waitKMS ScheduleKeyDeletionDeletion logs

5.3 Key Rotation Schedule

Key TypeRotation PeriodRotation MethodVerification
KMS CMKs365 daysAutomatic KMS rotationCloudTrail logs
Database DEKsPer-write (envelope)AutomaticApplication logs
TLS certificates60 days before expiryACM auto-renewalCertificate monitoring
mTLS certificates30 days before expiryPKI auto-renewalPKI monitoring
SSH keys365 daysManual rotationKey inventory audit
API keys90 daysAutomated rotationSecrets Manager logs
Service account credentials90 daysAutomated rotationSecrets Manager logs

5.4 Key Access Controls

RoleKMS PermissionsUse Case
KMS Administratorkms:Create*, kms:Put*, kms:Delete*, kms:Enable*, kms:Disable*Key management
Applicationkms:Encrypt, kms:Decrypt, kms:GenerateDataKeyData encryption
Auditorkms:Describe*, kms:List*, kms:Get*Compliance review
Securitykms:* (scoped to security keys)Security operations

5.5 Customer-Managed Keys (Enterprise)

Enterprise customers may bring their own keys (BYOK):

CMK FeatureImplementationCustomer Responsibility
Key provisionCustomer creates CMK, grants Acme Cloud accessKey creation, IAM policy
Cross-account accessIAM role assumptionGrant Acme Cloud IAM role
Key rotationCustomer-managedRotation configuration
Key revocationRemove IAM grantImmediate data access loss
AuditCloudTrail in customer accountLog monitoring

CMK Provisioning Process:

StepActionOwner
1Customer creates KMS CMKCustomer
2Customer configures key policyCustomer
3Customer grants Acme Cloud IAM role accessCustomer
4Acme Cloud validates key accessAcme Cloud
5Acme Cloud configures tenant to use CMKAcme Cloud
6Data encrypted with customer CMKAcme Cloud

Certificate Management

6.1 Certificate Inventory

Certificate TypeIssuerValidityRenewal Automation
Public TLS (*.acmecloud.com)AWS ACM13 monthsAutomatic (60 days)
Internal mTLSAcme Cloud Internal CA1 yearAutomatic (30 days)
Code signingAcme Cloud Internal CA2 yearsManual (60 days)
SAML signingAcme Cloud Internal CA3 yearsManual (90 days)

6.2 Certificate Lifecycle

PhaseProcessAutomationMonitoring
IssuanceCSR generation, CA signingTerraform + ACM/PKIInventory update
DeploymentCertificate installationTerraform + config managementDeployment verification
MonitoringExpiration trackingCertificate monitoring60/30/14/7-day alerts
RenewalNew certificate issuanceAutomatic for ACMRenewal verification
RevocationCRL/OCSP updateManual processRevocation verification
ExpirationCertificate removalPrevented by monitoringExpiration alerts

6.3 Certificate Revocation

Revocation TriggerResponse TimeProcess
Key compromiseImmediateEmergency rotation, incident response
Employee departure24 hoursCertificate revocation, CRL update
Service decommissionPlannedCertificate revocation
Algorithm deprecationPer timelinePlanned migration

Cryptographic Incident Response

7.1 Cryptographic Incidents

Incident TypeSeverityResponseNotification
Key compromiseSEV1Immediate rotation, forensicsCustomer within 24 hours
Algorithm vulnerabilityVariesAssess impact, plan migrationAdvisory if affected
Certificate compromiseSEV1Immediate revocationCustomer within 24 hours
Weak encryption discoveredSEV2Remediation planInternal escalation
Encryption failureSEV2Investigation, remediationCustomer if data affected

7.2 Key Compromise Response (IR-CRYPTO-001)

Step 1: Detection and Confirmation (0-30 minutes) 1.1. Alert received or compromise reported 1.2. Initial assessment and severity classification 1.3. Incident commander assigned

Step 2: Containment (0-2 hours) 2.1. Isolate affected systems if necessary 2.2. Rotate compromised keys immediately 2.3. Revoke associated certificates 2.4. Update access controls

Step 3: Assessment (2-24 hours) 3.1. Determine scope of compromise 3.2. Identify affected data 3.3. Preserve forensic evidence 3.4. Assess regulatory notification requirements

Step 4: Remediation (24-72 hours) 4.1. Complete key rotation across all affected systems 4.2. Re-encrypt affected data if necessary 4.3. Deploy additional controls 4.4. Verify remediation effectiveness

Step 5: Recovery and Reporting (72 hours - 5 days) 5.1. Confirm normal operations 5.2. Complete incident report 5.3. Conduct post-incident review 5.4. Implement lessons learned

Post-Quantum Cryptography Readiness

8.1 PQC Transition Strategy

Acme Cloud is preparing for the transition to post-quantum cryptography:

PhaseTimelineActivities
Assessment2025-2026Cryptographic inventory, dependency mapping
Planning2026-2027Migration planning, hybrid protocol testing
Pilot2027-2028Hybrid PQC deployment for internal services
Migration2028-2030Production PQC deployment

8.2 PQC Algorithm Roadmap

AlgorithmNIST StatusAcme Cloud PlanTarget Use Case
ML-KEM (Kyber)Standardized (FIPS 203)Pilot 2027Key encapsulation
ML-DSA (Dilithium)Standardized (FIPS 204)Pilot 2027Digital signatures
SLH-DSA (SPHINCS+)Standardized (FIPS 205)EvaluationStateless signatures
Hybrid TLSIn developmentPilot 2027Transport security

8.3 Cryptographic Agility Preparation

Preparation AreaCurrent StateTarget State
Algorithm abstractionPartialFull abstraction layer
Key length flexibilityFixed in some systemsConfigurable
Protocol versioningTLS version negotiationAlgorithm negotiation
Testing capabilityManualAutomated algorithm testing

Compliance Monitoring

9.1 Encryption Compliance Checks

CheckScopeFrequencyTool
TLS configurationAll endpointsContinuousSSL Labs, Datadog
Certificate expirationAll certificatesDailyCertificate monitoring
S3 encryptionAll bucketsContinuousAWS Config
EBS encryptionAll volumesContinuousAWS Config
RDS encryptionAll databasesContinuousAWS Config
Secrets rotationAll secretsWeeklySecrets Manager audit

9.2 Compliance Dashboards

DashboardContentAudienceUpdate Frequency
Encryption ComplianceOverall encryption statusSecurity LeadershipDaily
Certificate StatusCertificate inventory, expirationSecurity OperationsReal-time
Key RotationRotation complianceSecurity OperationsWeekly
Vulnerability StatusCryptographic vulnerabilitiesSecurity EngineeringDaily

9.3 Audit Evidence

Evidence TypeSourceRetentionAudit Use
KMS audit logsCloudTrail7 yearsSOC 2, ISO 27001
TLS configurationSSL Labs scans1 yearPenetration testing
Certificate inventoryPKI systemCurrent + 1 yearCompliance review
Encryption settingsAWS Config7 yearsSOC 2, ISO 27001
Rotation recordsSecrets Manager7 yearsSOC 2, ISO 27001

Developer Guidelines

10.1 Approved Cryptographic Libraries

LanguageLibraryUse CaseVersion
Node.jscrypto (built-in)General cryptographyCurrent LTS
Node.js@aws-sdk/client-kmsKMS operationsLatest
Node.jsargon2Password hashing0.31+
PythoncryptographyGeneral cryptography41.0+
Pythonboto3KMS operationsLatest
Gocrypto (standard library)General cryptographyCurrent
Goaws-sdk-go-v2KMS operationsLatest

10.2 Prohibited Practices

PracticeReasonCorrect Approach
Hardcoded secretsExposure riskUse Secrets Manager
Custom crypto algorithmsLikely insecureUse approved libraries
ECB modePattern leakageUse GCM or CBC+HMAC
MD5/SHA-1 for securityCollision vulnerabilitiesUse SHA-256+
Plaintext password storageDirect exposureUse Argon2id
Static IVs/noncesBreaks encryptionGenerate random per operation
Key in source codeVersion control exposureUse KMS
Self-signed certs (production)Trust issuesUse CA-issued

10.3 Code Review Checklist

Review ItemPass Criteria
Secrets handlingNo hardcoded secrets, proper injection
Algorithm selectionApproved algorithms only
Key managementKMS or approved vault
Random generationCryptographically secure source
TLS configurationApproved cipher suites
Password handlingApproved hashing algorithm
Certificate validationProper chain verification

Framework Mapping Appendix

SOC 2 Trust Services Criteria Mapping

TSCControlAcme Cloud ImplementationEvidence
CC6.1Encryption keys protectedKMS with IAM controlsKMS policies
CC6.7Data encrypted in transitTLS 1.2+, mTLSTLS configuration
CC6.7Data encrypted at restAES-256, KMSEncryption settings
CC6.7Encryption key managementKMS lifecycle, rotationRotation logs

ISO 27001 Annex A Mapping

ControlAcme Cloud ImplementationEvidence
A.10.1.1Cryptographic controls policyThis document
A.10.1.2Key managementKMS, rotation, destruction
A.13.2.1Network security controlsTLS requirements
A.14.1.2Application securitySecure coding guidelines
A.14.1.3System protectionEncryption requirements

NIST SP 800-53 Mapping

ControlAcme Cloud ImplementationEvidence
SC-8Transmission confidentialityTLS 1.2+
SC-12Key managementKMS, key lifecycle
SC-13Cryptographic protectionApproved algorithms
SC-17PKI certificatesCertificate management
SC-28Protection at restAES-256 encryption

HIPAA Technical Safeguards Mapping

HIPAA SectionRequirementAcme Cloud ImplementationEvidence
§164.312(a)(2)(iv)Encryption (addressable)AES-256 at restEncryption settings
§164.312(e)(1)Transmission securityTLS 1.2+TLS configuration
§164.312(e)(2)(ii)Encryption (transmission)TLS for PHINetwork architecture

Related Trust Center documents

security overview, access control, backup recovery, data retention, hipaa statement, penetration testing

Document revision history

VersionDateAuthorSummary of changes
1.02024-06-01Legal & ComplianceInitial Trust Center publication
2.02025-03-15GRC ProgramSOC 2 Type II alignment refresh; expanded subprocessors
2.52025-09-01Security EngineeringEncryption standards update; ISO 27001 mapping
3.02026-01-15Trust Center ProgramFull procurement-grade expansion; 34-document set

Contact

Acme Cloud, Inc. 1200 Market Street, Suite 400 San Francisco, CA 94103, USA

ChannelEmailUse case
Trust & procurementtrust@acmecloud.comSecurity questionnaires, trust reviews
Securitysecurity@acmecloud.comIncidents, vulnerabilities, control questions
Privacyprivacy@acmecloud.comDSRs, privacy assessments
Legallegal@acmecloud.comContractual, DPA, legal notices
Last updated: January 15, 2026
EthicPages logoEthicPages