The vault is the part of Studio we will explain in the most detail, because it is the part you should weight most heavily. If the vault is sound, an attacker who steals every database row and every file in object storage walks away with ciphertext that decrypts to nothing without an AWS-side authorization for the right organization. Application-layer access controls are necessary but they fail occasionally. Cryptographic isolation does not. This page describes the design end to end: the keys, the algorithm, the envelope format, the rotation behavior, the cross-organization sharing flow, the keychain caching, and the organization-deletion path that ends in cryptographic shredding.Documentation Index
Fetch the complete documentation index at: https://altostrat.io/docs/llms.txt
Use this file to discover all available pages before exploring further.
The shape
| Layer | What it is | Where it lives |
|---|---|---|
| Customer master key (CMK) | Per-organization symmetric KMS key. | AWS KMS, FIPS 140-2 validated HSM, us-east-1 FIPS endpoint. |
| Data encryption key (DEK) | Per-organization symmetric data key, one per active version. | Encrypted at rest in DynamoDB, wrapped by the org’s CMK. |
| Resource DEK wrap | A separate wrap of a record’s DEK for each organization that is allowed to decrypt it (used for cross-org shares). | Persisted as scoped wrap rows in the backend store. |
| Per-record envelope | The actual sensitive field as ciphertext. | DynamoDB keyChainEntries, connectorEntries, mcpServerEntries, procedures, procedureRuns, connectionProtocols. |
| Plaintext DEK cache | Decrypted DEK held in OS keychain with a 12-hour TTL. | macOS Keychain / Windows DPAPI / Linux libsecret. |
| Plaintext field | Decrypted record value held in agent memory only at the moment of use. | Go sidecar RAM, BoringCrypto. |
- The CMK never leaves the HSM.
- The DEK can be rotated frequently without rewriting every ciphertext immediately (envelopes carry a
dekRefand the corresponding wrap is fetched at decrypt time). - A single record can be re-wrapped for additional organizations (sharing) without re-encrypting.
- Organization deletion is a single operation: schedule the CMK for destruction. Every wrap becomes unrecoverable; every envelope becomes garbage.
The algorithm
| Component | Choice |
|---|---|
| Symmetric cipher | AES-256-GCM |
| Wrap (CMK → DEK) | AWS KMS, FIPS 140-2 validated HSM |
| KMS endpoint | AWS FIPS endpoint in us-east-1 |
| Key derivation | None at the application layer; KMS handles CMK-side derivation. |
| AAD | A canonical binding of the envelope to its organization, table, record, and field. |
| IV | 96 bits, randomly generated per encryption. |
| Tag | 128 bits, GCM standard. |
| Crypto library | Go with BoringCrypto in the agent; AWS-native KMS in the cloud. |
Additional authenticated data
Every envelope’s AAD binds it to its location. An adversary who copies a ciphertext from one record to another (transplantation attack) cannot decrypt it: the AAD they would have to forge includes the destination record’s identity, and the GCM tag fails verification. This means:- A field copied from one record to another in the same table fails to decrypt.
- A field copied from one organization to another fails to decrypt.
- A field copied between two semantically different fields on the same record fails to decrypt.
DEK lifecycle
A new organization receives a freshly minted DEK:Create the org's CMK
On organization creation, a backend handler creates a dedicated KMS customer master key, applies the org-scoped key policy, and records the binding so subsequent calls route to the right key.
Mint the first DEK
The same handler asks KMS to generate a fresh data key under the new CMK. The plaintext form is used once and discarded; the wrapped form is persisted as the org’s active DEK.
Use the active DEK for new envelopes
Encryption calls fetch the active DEK, unwrap it via KMS into protected memory, perform the AES-256-GCM operation with the appropriate AAD, and embed a reference to the DEK in the envelope so it can be located again at decrypt time.
Rotate on a recurring schedule
A scheduled rotation mints a new DEK version and marks the previous one retired. New envelopes use the new DEK; old envelopes still decrypt because retired DEKs are kept (encrypted) for the lifetime of the organization.
Plaintext DEK caching
Decrypting a record requires the plaintext DEK. Calling KMS for every decrypt is too slow for a workspace that opens hundreds of records per session, so plaintext DEKs are cached in the operating system keychain on the desktop with a short lifetime.| Cached material | Where | Behavior |
|---|---|---|
| Wrapped DEK | OS keychain. | Safe to keep; it’s only useful with a KMS unwrap. |
| Plaintext DEK | OS keychain. | Held for a short, bounded interval (hours, not days), then expired. The next decrypt requires another KMS call. |
| Session metadata | OS keychain. | Same bounded interval; purged on sign-out. |
Cross-organization shares
When a user shares a resource with a member of another organization, the resource’s encrypted contents must become readable to the other org without exposing the originating org’s DEK. Studio uses a per-resource DEK wrap for this:Originating org unwraps the record
The originating user’s session unwraps the record’s envelope using the active org DEK and re-encrypts it under a fresh per-record DEK.
Per-record DEK is wrapped for each participating org
The per-record DEK is wrapped once under each participating organization’s CMK via KMS. Each wrap is persisted as its own row, scoped by (resource, organization).
Recipient org reads the share
A recipient’s session looks up the wrap for its own org, calls KMS with its own CMK to unwrap the per-record DEK, then decrypts the record. At no point does the recipient’s session see the originating org’s DEK or CMK.
Encrypted fields
The following fields are encrypted under the org DEK at rest:| Domain | What’s encrypted |
|---|---|
| Host protocols | Per-host passwords, key references, ONVIF camera credentials. |
| Connectors | The full authentication blob (basic, bearer, OAuth tokens, custom-header secrets). |
| MCP servers | The full authentication blob. |
| Procedures | The procedure body, which may contain inlined sensitive text. |
| Procedure runs | Argument values, conversation messages, tool-call summaries, final output. |
| Keychain entries | The credential payload itself. |
KMS access policy
Each organization’s CMK has a key policy that only permits decryption when the caller is bound to that organization. The binding is established at sign-in: the user’s identity claim is propagated as an AWS principal tag on every signed call, and KMS will only unwrap a DEK when the tag and the key’s policy align with the encryption context the application supplies. A user signed into org A who somehow obtains a stored ciphertext for org B cannot decrypt it: the tag does not match the CMK’s policy, KMS refuses the call, end of story.Organization deletion and cryptographic shredding
When an organization is deleted, an organization-lifecycle handler:Schedule the CMK for deletion
KMS marks the org’s CMK pending deletion with the AWS-mandated 30-day window. Shorter windows aren’t permitted.
Stop minting new envelopes
The org-key state is updated so the application no longer encrypts new records against the soon-to-be-destroyed CMK.
Wait the AWS-mandated window
During the 30 days, an admin can cancel the deletion if it was a mistake.
Why this becomes a moat
The vault is described above as a security control. It is also why Studio’s value compounds the longer you use it. Per-organization cryptographic isolation means your inventory, your procedures, your memories, your conversation transcripts, your session recordings, your connector definitions, and your knowledge graph are all bound to keys only your organization can use. They are encrypted under your CMK; the local agent’s knowledge graph and embeddings index are computed against your data and live on your devices; the cross-org sharing graph is yours to grant and revoke. That body of work cannot be picked up and dropped into another tool in any useful form. A competitor can replicate the architecture. They cannot replicate three years of your team’s runbooks, the memory of which vendor port behaves which way during a maintenance window, the hundred conversations that taught Copilot what your customers actually need, or the diagram graph that has been corrected by the people who actually run the network. The encryption is what keeps that knowledge yours; the architecture is what makes it useful where it is. The implication for switching cost is the implication for defensibility. You are not buying a feature when you adopt Studio. You are accumulating an operational asset that gets denser the longer you keep using it.How to verify any of this
Studio runs as single-tenant SaaS in Altostrat’s AWS account inus-east-1. The vault, the KMS keys, the CloudTrail logs, and the AppSync infrastructure live there — not in your AWS environment. The verification options reflect that:
- FIPS endpoint and HSM: AWS’s published documentation establishes that the FIPS KMS endpoint in
us-east-1runs on FIPS 140-2 validated hardware. Our internal integration suite asserts on every release that we route to the FIPS endpoint; the assertion details are part of the security pack we share under NDA. - DEK rotation cadence and key isolation: producible from our CloudTrail on request as part of a security or compliance review.
- Per-organization isolation: observable in any record export — each organization’s encrypted blobs reference a different KMS key, and sharing produces additional per-organization wraps.
- Envelope versioning: observable in any record export — the version tag is unambiguous and lets us evolve the format without breaking historical records.
Related
Identity and access
How the principal tag that gates KMS access gets attached to your AWS calls.
Known limits
What the vault does not yet do — including audit logging of every decrypt and AI-context scrubbing.