> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mka1.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Data encryption

> See which encryption controls are active in the deployed MKA1 environment, how we validate them, and the evidence captured from production.

MKA1 has active encryption controls in the deployed production environment.
We verified encryption at rest for Kubernetes secrets and EBS-backed volumes, and encryption in transit for the public edge and the production CNPG/PostgreSQL cluster.

## What is active

### Encryption at rest

The following controls were verified in the live production environment:

* EKS secrets envelope encryption is active on `mk1-eks-production`.
* The live EKS cluster reports `encryptionConfig` for resource type `secrets`.
* The live cluster reports a KMS provider key ARN: `arn:aws:kms:us-west-2:REDACTED:key/5d84bfa7-REDACTED`.
* The production `ebs-sc` storage class uses the `ebs.csi.aws.com` provisioner with `encrypted: "true"` and `type: gp3`.

The deployed infrastructure source also declares encrypted EBS-backed storage:

* `infra-resources/mk1/resources/storage/ebs-storage-class.yaml` sets `encrypted: "true"` on `ebs-sc`.
* `infra-resources/helm/cnpg/kube/cluster-production.yaml` uses `storageClass: ebs-sc` for the production PostgreSQL cluster.

### Encryption in transit

The following controls were verified in the live production environment:

* `apigw.mka1.com:443` negotiated `TLSv1.3` with cipher suite `TLS_AES_128_GCM_SHA256`.
* `livekit.mka1.com:443` negotiated `TLSv1.3` with cipher suite `TLS_AES_128_GCM_SHA256`.
* Both public TLS checks completed with certificate verification `OK`.
* The public Kong ingress is configured with `alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS13-1-2-2021-06`.
* The live CNPG/PostgreSQL cluster reports `ssl_min_protocol_version: TLSv1.3` and `ssl_max_protocol_version: TLSv1.3`.
* The live CNPG/PostgreSQL cluster reports active certificate material in `clientCASecret`, `serverCASecret`, `serverTLSSecret`, and `replicationTLSSecret`.

The deployed infrastructure source also declares the public TLS-capable ingress policy:

* `infra-resources/kong/resources/ingress-proxy.yaml` sets `alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS13-1-2-2021-06`.

## How we validate it

We validate the deployed state with repo-owned scripts in `infra-resources` and live cluster inspection.

`tools/compliance/verify_storage_encryption.sh` captures storage encryption evidence by running:

```bash theme={null}
aws eks describe-cluster --name mk1-eks-production --region us-west-2
kubectl get storageclass ebs-sc efs-sc -o yaml
aws efs describe-file-systems --region us-west-2
aws ec2 describe-volumes --region us-west-2 \
  --filters Name=tag:kubernetes.io/created-for/pvc/name,Values='*'
```

`tools/compliance/verify_tls13.sh` captures public TLS evidence by running `openssl s_client` with `-tls1_3` against each public endpoint:

```bash theme={null}
openssl s_client -connect apigw.mka1.com:443 -servername apigw.mka1.com -tls1_3 -brief
openssl s_client -connect apigw.mka1.com:443 -servername apigw.mka1.com -tls1_3 -showcerts

openssl s_client -connect livekit.mka1.com:443 -servername livekit.mka1.com -tls1_3 -brief
openssl s_client -connect livekit.mka1.com:443 -servername livekit.mka1.com -tls1_3 -showcerts
```

We also verify live cluster configuration directly:

```bash theme={null}
kubectl -n kong get ingress kong-alb-ingress -o yaml
kubectl -n cnpg get cluster -o yaml
```

## Evidence

The following sanitized snippets are excerpted from checks against our live production deployment.
They preserve the verified encryption signals and redact unrelated infrastructure details.

### EKS secrets envelope encryption

```json theme={null}
{
  "cluster": {
    "name": "mk1-eks-production",
    "encryptionConfig": [
      {
        "resources": [
          "secrets"
        ],
        "provider": {
          "keyArn": "arn:aws:kms:us-west-2:[redacted-account]:key/[redacted-key-id]"
        }
      }
    ]
  }
}
```

### Encrypted EBS-backed storage class

```yaml theme={null}
kind: StorageClass
metadata:
  name: ebs-sc
parameters:
  encrypted: "true"
  type: gp3
provisioner: ebs.csi.aws.com
volumeBindingMode: WaitForFirstConsumer
```

### Public API gateway TLS 1.3 handshake

```text theme={null}
Verifying TLS 1.3 for apigw.mka1.com:443
Connecting to [redacted-ip]
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_128_GCM_SHA256
Verification: OK
Peer Temp Key: X25519, 253 bits
...
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Protocol: TLSv1.3
Server public key is 2048 bit
Verify return code: 0 (ok)
```

### LiveKit TLS 1.3 handshake

```text theme={null}
Verifying TLS 1.3 for livekit.mka1.com:443
Connecting to [redacted-ip]
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_128_GCM_SHA256
Verification: OK
Peer Temp Key: X25519, 253 bits
...
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Protocol: TLSv1.3
Server public key is 2048 bit
Verify return code: 0 (ok)
```

### Verified live cluster excerpts

```text theme={null}
Kong public ingress:
- alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS13-1-2-2021-06

CNPG/PostgreSQL:
- ssl_min_protocol_version: TLSv1.3
- ssl_max_protocol_version: TLSv1.3
- clientCASecret: mk1-db-[redacted]
- serverCASecret: mk1-db-[redacted]
- serverTLSSecret: mk1-db-[redacted]
- replicationTLSSecret: mk1-db-[redacted]
```
