Skip to content

Encryption Keys

Encryption is a fundamental security control used by Philterd Data Services to protect documents and data at rest. This document describes how encryption keys are managed and used within the system.

Philterd Data Services ensures that all sensitive data, including uploaded documents and processed data, is encrypted when stored on disk. This protects against unauthorized access to the underlying storage media.

The system uses industry-standard AES-256 encryption in Galois/Counter Mode (GCM). This provides both data confidentiality and authenticity.

Data at Rest

Encryption at rest covers:

  • Documents: All uploaded documents (PDFs, DOCX, images, etc.) are encrypted before being saved to storage.
  • Data: Data generated during processing, such as changesets and ledgers, is encrypted at rest.

By combining robust AES-256 encryption with flexible key management options, Philterd Data Services provides a high level of security for your sensitive information.

Key Management

Philterd Data Services offers two modes of encryption key management:

System-Generated Keys (Default)

By default, Philterd Data Services automatically generates and manages encryption keys for you. These keys are cryptographically strong and unique to your account. This ensures that your data is protected from the moment you start using the service without requiring any manual configuration.

User-Provided Keys (Bring Your Own Key - BYOK)

For organizations with strict security requirements or compliance mandates, Philterd Data Services supports Bring Your Own Key (BYOK). This allows you to provide your own encryption key, giving you ultimate control over the encryption of your data.

When you provide your own key:

  • The key must be a 256-bit AES key.
  • The key must be provided in Base64-encoded format.
  • All new documents and data stored at rest will be encrypted using the most recently provided key. Previously saved data will continue to be encrypted with the key in use at the time of its creation.

Managing Your Encryption Key

You can manage your encryption key through the Philterd Data Services Dashboard:

  1. Log in to the Dashboard.
  2. Navigate to the Security view.
  3. Select the Encryption Key tab.
  4. Here you can see whether you are currently using a system-generated key or a customer-provided key.
  5. To provide your own key, click the Use my own encryption key button and provide your Base64-encoded 256-bit key.