Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.
Endigest AI Core Summary
Ariso.ai implemented HashiCorp Vault's Transit secrets engine for high-performance envelope encryption across 21 database tables in their multi-tenant AI assistant platform.
•Two-layer envelope encryption: a per-context AES-128-GCM Data Encryption Key (DEK) encrypts data locally, while Vault's Transit engine wraps the DEK as the Key Encryption Key (KEK), keeping plaintext off Vault and reducing network overhead.
•Context-based key derivation from a single master KEK generates mathematically independent keys at three isolation levels: organization, user, and session, eliminating key sprawl across tenants.
•Session-level derivation provides forward secrecy — evicting the DEK cache entry after session expiration makes ephemeral data cryptographically inaccessible without the original session context.
•An in-memory DEK cache keyed by {kek_name}:{context}:{vault_version} achieves a 95.8% cache hit rate and an 8:1 encrypt-to-decrypt ratio, driving Vault transit latency to 0.46ms median a
This summary was automatically generated by AI based on the original article and may not be fully accurate.
The Hacker News