> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mka1.com/llms.txt
> Use this file to discover all available pages before exploring further.

# HSM-backed keys and TLS 1.3

> How MKA1 uses AWS KMS hardware security modules and enforces TLS 1.3 for cryptographic key management across data at rest and in transit.

MKA1 manages all cryptographic keys through AWS KMS, which is backed by FIPS 140-2 Level 3 validated hardware security modules.
TLS 1.3 is enforced on every public endpoint and on internal database connections, with verified key sizes that meet compliance requirements.

## What is active

### HSM-backed key management

The following controls were verified in the live production environment:

* EKS secrets envelope encryption uses a customer-managed AWS KMS key (`arn:aws:kms:us-west-2:REDACTED:key/...`).
* The KMS key is backed by FIPS 140-2 Level 3 validated HSMs operated by AWS.
* SOPS-encrypted secrets at rest in the repository also use AWS KMS for envelope encryption.
* EBS volumes attached to the production cluster use `encrypted: "true"` with the `gp3` storage class, with encryption keys managed by KMS.

### TLS 1.3 enforcement

The following controls were verified in the live production environment:

* `apigw.mka1.com:443` negotiated `TLSv1.3` with cipher suite `TLS_AES_128_GCM_SHA256`.
* `livekit.mka1.com:443` negotiated `TLSv1.3` with cipher suite `TLS_AES_128_GCM_SHA256`.
* Both endpoints use X25519 key exchange (253 bits) and RSA 2048-bit server public keys issued by AWS Certificate Manager.
* The ALB SSL policy `ELBSecurityPolicy-TLS13-1-2-2021-06` is configured on the Kong and LiveKit ingresses, ensuring TLS 1.3 and strong TLS 1.2 ciphers only.
* The production CNPG/PostgreSQL cluster enforces `ssl_min_protocol_version: TLSv1.3` and `ssl_max_protocol_version: TLSv1.3`.
* Database TLS certificates are managed by cert-manager with dedicated `clientCASecret`, `serverCASecret`, `serverTLSSecret`, and `replicationTLSSecret` secrets.

## How we validate it

We validate HSM-backed key usage and TLS 1.3 enforcement with live cluster inspection and direct endpoint testing.

KMS key and HSM backing are confirmed via the EKS cluster description:

```bash theme={null}
aws eks describe-cluster --name mk1-eks-production --region us-west-2 \
  --query 'cluster.encryptionConfig'
```

TLS 1.3 handshake and key sizes are verified with `openssl s_client`:

```bash theme={null}
openssl s_client -connect apigw.mka1.com:443 -servername apigw.mka1.com -tls1_3 -brief
openssl s_client -connect livekit.mka1.com:443 -servername livekit.mka1.com -tls1_3 -brief
```

Database TLS configuration is verified directly on the live cluster:

```bash theme={null}
kubectl -n cnpg get cluster -o yaml | grep -A2 ssl
```

## Evidence

The following sanitized snippets are excerpted from checks against our live production deployment.

### KMS provider on EKS cluster

```json theme={null}
{
  "cluster": {
    "name": "mk1-eks-production",
    "encryptionConfig": [
      {
        "resources": ["secrets"],
        "provider": {
          "keyArn": "arn:aws:kms:us-west-2:[redacted-account]:key/[redacted-key-id]"
        }
      }
    ]
  }
}
```

### TLS 1.3 handshake with key sizes — apigw\.mka1.com

```text theme={null}
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_128_GCM_SHA256
Peer Temp Key: X25519, 253 bits
Verification: OK
...
Server public key is 2048 bit
Verify return code: 0 (ok)
```

### TLS 1.3 handshake with key sizes — livekit.mka1.com

```text theme={null}
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_128_GCM_SHA256
Peer Temp Key: X25519, 253 bits
Verification: OK
...
Server public key is 2048 bit
Verify return code: 0 (ok)
```

### ALB SSL policy and database TLS configuration

```text theme={null}
Kong public ingress:
- alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS13-1-2-2021-06

CNPG/PostgreSQL:
- ssl_min_protocol_version: TLSv1.3
- ssl_max_protocol_version: TLSv1.3
- clientCASecret: mk1-db-[redacted]
- serverCASecret: mk1-db-[redacted]
- serverTLSSecret: mk1-db-[redacted]
- replicationTLSSecret: mk1-db-[redacted]
```
