Tenant Encryption Key Model

ADR-0018 accepts the Phase 1 tenant encryption key model. It is a contract and architecture guardrail only; no runtime KMS, S3 migration, deployment, or BYOK implementation was added.

Model

OneProtect uses platform-managed envelope encryption:

platform KMS wrapping key
-> encrypted tenant data-encryption key
-> encrypted tenant artifact or sensitive field group

Tenant key refs use:

opk://tenant/{tenant_id}/{purpose}/{version}

Phase 1 purposes are export_artifact, evidence_object, ssh_recording, agent_identity_sensitive, and integration_secret_ref.

Guardrails

Key refs are metadata, not authorization.
Runtime must resolve keys from authenticated tenant context and stored records, never caller-supplied tenant IDs.
Plaintext key material, encrypted key blobs, CSR bodies, certificate PEM values, provider secrets, and decrypted object contents stay out of APIs, events, logs, audit records, UI, and exports.
Key lifecycle and denied decrypt attempts are audit material.
BYOK remains Phase 2 and must be additive.

Source Docs

docs/adr/ADR-0018-tenant-encryption-key-model.md
docs/architecture/tenant-encryption-key-model.md

Model​

Guardrails​

Source Docs​

Model

Guardrails

Source Docs