Skip to main content

Tenant Encryption Key Model

OP-041 freezes the Phase 1 tenant encryption key model.

What Changed

Accepted ADR-0018 for platform-managed per-tenant envelope encryption.
Added the architecture contract for tenant key refs, key purposes, lifecycle states, rotation behavior, and audit expectations.
Documented the logical key ref format: opk://tenant/{tenant_id}/{purpose}/{version}.

What This Enables

Future S3/KMS-backed auditor exports.
Future evidence object encryption.
Future browser SSH recording encryption.
Future sensitive agent identity metadata encryption.
Future BYOK as an additive Phase 2 capability.

Not Included

No AWS KMS runtime calls.
No S3 migration for current export artifacts.
No BYOK implementation.
No deployment, Terraform, Helm, or CI change.

What Changed
What This Enables
Not Included