SID-OPS-10 — Encryption-at-Rest and Secrets Management
| Property | Value |
|---|---|
| Owner | operator |
| Category | technical |
| CSF Function | protect |
| Group | Operational Controls |
Description
All persistent data stores in the wallet deployment MUST have encryption-at-rest enabled. Cryptographic secrets (JWT signing keys, HMAC secrets, API credentials, database passwords) MUST be managed via a secrets manager and MUST NOT appear in configuration files or container images.
Implementation requirements: (1) Database encryption-at-rest: PostgreSQL MUST use storage-level encryption (e.g. LUKS, provider-native disk encryption). MongoDB (if deployed) MUST have Encrypted Storage Engine enabled. Encryption MUST be verified as part of deployment validation. (2) Secrets management: All runtime secrets MUST be injected via a secrets manager (e.g. HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, Kubernetes External Secrets + ESO). Secrets MUST NOT be present in Git, container images, or plain-text ConfigMaps. (3) FaceTec data retention: biometric capture data MUST be deleted within the retention window specified in the operator's privacy policy and the FaceTec data processing agreement. Deletion evidence MUST be logged. (4) Key rotation: JWT/HMAC signing keys MUST have a documented rotation schedule (recommended: ≤90 days for symmetric keys). Rotation MUST be tested and non-disruptive. (5) HSM / WSCA key material: HSM-resident keys MUST remain non-exportable. Access to HSM administrative interface MUST be subject to dual-control and logged.
Review criteria: deployment configuration reviewed confirming no plaintext secrets; encryption-at-rest confirmed via cloud/provider console or configuration audit; secrets manager integration documented and tested; key rotation procedure documented.
Components
- PostgreSQL Database
- WSCA / HSM
Source References
Framework Requirements
ISO 27001 Annex A: A.8.24