-
Notifications
You must be signed in to change notification settings - Fork 69
Expand file tree
/
Copy path.env.encryption.example
More file actions
206 lines (169 loc) · 7.54 KB
/
.env.encryption.example
File metadata and controls
206 lines (169 loc) · 7.54 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
# ==============================================================================
# ExpenseFlow - Encryption Configuration
# Issue #827: End-to-End Encryption for Sensitive Data
# ==============================================================================
# ==============================================================================
# Database Configuration
# ==============================================================================
MONGODB_URI=mongodb://localhost:27017/expenseflow
REDIS_URL=redis://localhost:6379
# ==============================================================================
# Server Configuration
# ==============================================================================
PORT=3000
NODE_ENV=production
FRONTEND_URL=https://your-domain.com
# ==============================================================================
# CRITICAL: Key Management Configuration
# ==============================================================================
# Master Key Encryption Key (KEK) Password
# ⚠️ MUST be at least 32 characters
# ⚠️ NEVER commit this to version control
# ⚠️ Store in AWS Secrets Manager, Azure Key Vault, or similar in production
KEK_PASSWORD=CHANGE-ME-to-a-very-strong-password-with-at-least-32-characters
# Path to store encrypted master KEK
# Default: ./keys/master.kek
# Production: Use secure, backed-up storage location
KEK_PATH=/secure/path/to/master.kek
# ==============================================================================
# Encryption Settings
# ==============================================================================
# Strict Mode: Reject requests with unencrypted sensitive data
# Development: false (auto-encrypt)
# Production: true (reject unencrypted)
ENCRYPTION_STRICT_MODE=true
# Require encrypted headers for sensitive API endpoints
HEADER_ENCRYPTION_STRICT=false
# ==============================================================================
# Transport Security
# ==============================================================================
# Request Integrity Secret for HMAC signatures
# Used to prevent request tampering
REQUEST_INTEGRITY_SECRET=your-request-integrity-secret-min-32-chars
# Allowed WebSocket origins (comma-separated)
ALLOWED_WS_ORIGINS=https://your-domain.com,https://app.your-domain.com
# ==============================================================================
# Key Rotation Policy
# ==============================================================================
# Default key rotation period in days
KEY_ROTATION_PERIOD_DAYS=90
# Active algorithm for newly generated keys
# Supported: aes-256-gcm, aes-192-gcm, chacha20-poly1305
KEY_DEFAULT_ALGORITHM=aes-256-gcm
# PBKDF2 iterations used for KEK protection and backup encryption
KEY_DERIVATION_ITERATIONS=210000
# Grace period for deprecated keys (days)
DEPRECATED_KEY_GRACE_PERIOD_DAYS=30
# Automatic rotation check interval (hours)
KEY_ROTATION_CHECK_INTERVAL=24
# ==============================================================================
# Compliance Configuration
# ==============================================================================
# Enable PCI DSS compliance mode
PCI_DSS_ENABLED=true
# Enable GDPR compliance mode
GDPR_ENABLED=true
# Data retention period (days) - GDPR requirement
DATA_RETENTION_DAYS=365
# ==============================================================================
# Monitoring & Alerting
# ==============================================================================
# Enable encryption metrics collection
ENCRYPTION_METRICS_ENABLED=true
# Alert on keys expiring within X days
KEY_EXPIRY_ALERT_DAYS=7
# Alert email for encryption-related issues
ENCRYPTION_ALERT_EMAIL=security@your-domain.com
# Comma-separated allowlist for key administration endpoints
ENCRYPTION_KEY_ADMIN_EMAILS=security-admin@your-domain.com
# ==============================================================================
# JWT Configuration
# ==============================================================================
JWT_SECRET=your-jwt-secret-key
# ==============================================================================
# Email Configuration (for alerts)
# ==============================================================================
EMAIL_HOST=smtp.your-provider.com
EMAIL_PORT=587
EMAIL_USER=your-email@domain.com
EMAIL_PASS=your-email-password
EMAIL_FROM=ExpenseFlow Security <security@your-domain.com>
# ==============================================================================
# Cloud Storage (for encrypted backups)
# ==============================================================================
# AWS S3 Configuration
AWS_ACCESS_KEY_ID=your-aws-access-key
AWS_SECRET_ACCESS_KEY=your-aws-secret-key
AWS_REGION=us-east-1
AWS_S3_BUCKET=expenseflow-encrypted-backups
# ==============================================================================
# Optional: Hardware Security Module (HSM)
# ==============================================================================
# Enable HSM for key storage (AWS CloudHSM, Azure Key Vault, etc.)
HSM_ENABLED=false
# HSM Configuration (if enabled)
# HSM_PROVIDER=aws-cloudhsm
# HSM_MASTER_KEY=base64-encoded-32-byte-hsm-master-key
# HSM_CLUSTER_ID=your-cluster-id
# HSM_USER=your-hsm-user
# HSM_PASSWORD=your-hsm-password
# ==============================================================================
# Development Settings (DO NOT USE IN PRODUCTION)
# ==============================================================================
# Skip encryption in development (NOT RECOMMENDED)
# SKIP_ENCRYPTION=false
# Allow HTTP in development (HTTPS required in production)
# ALLOW_HTTP=true
# ==============================================================================
# Notes for Production Deployment
# ==============================================================================
#
# 1. KEK_PASSWORD Security:
# - Generate using: openssl rand -base64 32
# - Store in AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault
# - Rotate quarterly
# - Never log or expose in error messages
#
# 2. Key Backup Strategy:
# - Automated daily backups to S3 (encrypted)
# - Store backup password separately from KEK_PASSWORD
# - Test recovery procedure monthly
# - Keep 90 days of backup history
#
# 3. Monitoring:
# - Set up alerts for key expiration
# - Monitor decryption failure rates
# - Track key rotation events
# - Log all key management operations
#
# 4. Compliance:
# - Review encryption policies quarterly
# - Maintain audit trail of all key access
# - Document key management procedures
# - Conduct annual security assessments
#
# 5. Disaster Recovery:
# - Document key recovery procedures
# - Store recovery keys in multiple secure locations
# - Test recovery process quarterly
# - Maintain offline backup of KEK
#
# ==============================================================================
# Security Checklist Before Production
# ==============================================================================
#
# [ ] KEK_PASSWORD is at least 32 characters
# [ ] KEK_PASSWORD is stored in secure secrets manager
# [ ] KEK_PATH points to backed-up, secure storage
# [ ] ENCRYPTION_STRICT_MODE=true
# [ ] NODE_ENV=production
# [ ] HTTPS/TLS certificates are valid
# [ ] Key rotation is scheduled and tested
# [ ] Backup system is operational
# [ ] Monitoring and alerts are configured
# [ ] Compliance requirements are documented
# [ ] Security assessment completed
# [ ] Incident response plan documented
# [ ] Staff trained on key management procedures
#
# ==============================================================================