Encryption & Hashing Standards
Encryption & Hashing
| Field | Value |
|---|---|
| Document ID | STD-008 |
| Classification | Internal |
| Owner | CTO (interim CISO) |
| Effective Date | April 2026 |
| Review Cycle | Annual |
This document outlines our standards for encrypting and hashing data across the Wealthy platform.
Password and PIN Security
We never store passwords or PINs in plaintext. All user credentials are hashed using industry-standard algorithms with a unique salt for each credential to prevent rainbow table attacks.
| Requirement | Implementation |
|---|---|
| Hashing Algorithm | Industry-standard, salted hashing (e.g., bcrypt, Argon2) |
| Salt Generation | Unique per password/PIN |
| Storage | Hashed values only — no plaintext |
Communication Encryption
Internal Traffic
All internal service-to-service communication occurs within our encrypted Virtual Private Cloud (VPC) network, which provides network-level isolation and encryption.
External Traffic
All external web and API traffic is encrypted using HTTPS with TLS 1.2 or higher. Our SSL certificates are managed and automatically renewed by Cloudflare.
Secret and Key Management
All sensitive keys, credentials, and secrets are stored and encrypted in AWS Secrets Manager.
- No Hardcoded Secrets: Secrets are never stored in code or configuration files.
- Runtime Retrieval: Keys are pulled securely by services during pod initialization.
- Key Rotation: We rotate keys according to our operational requirements.
This approach ensures separation of concerns, provides a clear audit trail, and allows us to follow the principle of least privilege.
Data Encryption
At Rest
All sensitive data is encrypted at rest.
| Data Store | Encryption Method |
|---|---|
| Databases (PostgreSQL, MongoDB) | Managed encryption (provided by GCP/AWS) |
| File Storage (S3) | AES-256 server-side encryption |
| Backups | Encrypted using managed keys |
In Transit
All data in transit is encrypted using TLS 1.2 or higher. This covers API calls, service-to-service communication, database connections, and external integrations.
Approved Algorithms
| Algorithm | Use Case |
|---|---|
| AES-256 | Data at rest (symmetric encryption) |
| RSA (2048-bit min) | Key exchange and digital signatures |
| TLS 1.3 | Transport encryption (TLS 1.2 is the minimum) |
| SHA-256 | Password hashing and data integrity |
Deprecated Algorithms
The following algorithms are not permitted for any security purpose:
- MD5, SHA-1
- DES, 3DES
- SSL (any version), TLS 1.0, TLS 1.1
Implementation Checklist
| Control | Status | Notes |
|---|---|---|
| Password hashing | ✅ Active | Salted hashing for all credentials. |
| TLS for external traffic | ✅ Active | TLS 1.2+ enforced. |
| Secrets in AWS Secrets Manager | ✅ Active | All secrets managed centrally. |
| Database encryption at rest | ✅ Active | Enabled on all databases. |
| S3 encryption | ✅ Active | All buckets encrypted. |