Security model

Encryption at rest

WAL encryption

Every mutation is AES-256-GCM encrypted before it's appended to the write-ahead log. Nonces are deterministic per record, keys come from HKDF.

Master key

Moat requires a 256-bit master key from SHROUDB_MASTER_KEY. Per-engine keys are derived via HKDF. In production, store the master key in an HSM or cloud KMS and inject at process start.

Per-tenant isolation

Multi-tenant deployments derive separate engine master keys per tenant, again via HKDF. Process-level access does not imply data access across tenants.

Zeroization

• SecretBytes containers zero their backing memory on drop.
• Veil plaintext is zeroized after match completion.
• Courier payloads are zeroized after delivery.
• Cipher plaintext is never persisted, only processed in memory.

Core dumps

Moat disables core dumps at startup on Linux and macOS. Reduces the risk of keys ending up on disk after a crash.

TLS / mTLS

[server.tls]
cert_file = "/etc/shroudb/tls/server.crt"
key_file  = "/etc/shroudb/tls/server.key"
client_ca = "/etc/shroudb/tls/clients.crt"  # optional mTLS

Use Forge to issue short-lived service certificates for mTLS between your apps and Moat.

Scope-based auth

Every token carries a set of scopes in engine:verb/resource form. Gate checks happen before any engine command executes.

*:*/*                     # full access
cipher:encrypt/payments   # encrypt under payments keyring only
sigil:verify/*            # verify any credential
keep:get/secrets/app/*    # read app secrets only
chronicle:query/*         # read audit stream

Security checklist

• Generate a strong master key (256-bit, 64 hex chars).
• Store the master key in an HSM or cloud KMS.
• Enable TLS in production; prefer mTLS for service-to-service.
• Grant least-privilege scopes — never ship *:*/* to apps.
• Enable Chronicle for persistent audit and alerting.
• Rotate Cipher keyrings and Sigil keyspaces on a schedule.
• Enforce a short default TTL on credentials.
• Write audit logs off-host for tamper-evident retention.