How we protect your keys.
Every encryption decision, every access control, every memory handling policy — documented in full. Security teams should be able to evaluate this without asking us a single question.
Encryption flow
Your real API key never travels over the network in plaintext. Here is the exact sequence of operations from the moment you paste a key into the dashboard to the moment it is used to forward a request.
- 1Your browser generates a one-time Data Encryption Key (DEK) using WebCrypto's CSPRNG. This DEK exists only in your browser's memory for the duration of the key-creation flow.
- 2The DEK encrypts your real API key using AES-256-GCM with a randomly generated 96-bit IV. The result is a ciphertext blob — the real key is now unreadable without the DEK.
- 3The DEK is immediately wrapped (key-encrypted-key pattern) using your account's Key Encryption Key (KEK), which is held in a cloud HSM and is non-exportable. The wrapped DEK and the ciphertext are uploaded together. The plaintext DEK is discarded from browser memory.
- 4KeyVault Edge stores only: the AES-256-GCM ciphertext, the wrapped DEK, and the IV. The real key is never stored in plaintext anywhere, including logs, backups, or analytics pipelines.
- 5When a request arrives at the edge proxy, the Worker requests an unwrap of the DEK from the HSM (one operation, audited). The DEK decrypts the ciphertext to recover the real key in memory.
- 6The real key is injected into the Authorization header of the forwarded request. Immediately after the upstream response begins streaming, the key is zeroed from Worker memory. It is never logged.
Memory handling
Cloudflare Workers have an isolated V8 isolate per request. There is no shared memory between requests. The key lifecycle inside a Worker is: decrypt → inject into outbound header → response begins → zero the variable.
We do not retain the decrypted key across requests, cache it in KV, or write it to any persistent store. Each request that requires a key performs a fresh HSM unwrap. The cost of this is one additional HSM call (~2–5ms) per request; we consider this an acceptable trade-off for the security guarantee.
Worker logs record only: token ID (not the key), upstream status code, byte counts, and request latency. No request bodies. No Authorization headers. No IP addresses beyond what Cloudflare's infrastructure requires for routing.
TLS termination
All connections to KeyVault Edge endpoints terminate TLS 1.3 at Cloudflare's edge — within 50ms of the client for most of the world. We do not support TLS 1.2 or below on any public endpoint.
HSTS (HTTP Strict Transport Security) is enforced with a max-age of 31,536,000 seconds (one year) and includeSubDomains. The domain is preloaded in major browser HSTS lists.
Connections from the edge proxy to upstream API providers (OpenAI, Stripe, GitHub, etc.) use TLS 1.2 or 1.3 with certificate verification enforced. We do not allow self-signed or expired upstream certificates.
Employee access model
No KeyVault Edge employee can access your plaintext API keys. The KEK that would allow decryption is held in a cloud HSM that enforces key usage policies — an operator credential alone is insufficient to decrypt customer keys.
All internal access to production infrastructure (Cloudflare console, Supabase dashboard, Stripe admin) is gated through Cloudflare Zero Trust with TOTP MFA required on every session. Access is logged at the application level, not just the network level.
Database rows containing encrypted key envelopes are protected by Supabase Row Level Security. No employee query can return another customer's rows without an explicit RLS policy exception, which would be logged and alerted.
Production deployments of the edge proxy require a signed commit from the main branch. The Worker is deployed to a hash-pinned version — any modification to the deployed code triggers an alert and is logged in Cloudflare's audit trail.
Master key management
The Key Encryption Key (KEK) for each account is generated inside a cloud HSM and is marked non-exportable. It cannot be extracted by any operator, engineer, or automated process — only HSM-mediated operations (wrap and unwrap) are permitted.
HSM operations are logged to an immutable audit trail. Every wrap and unwrap is recorded with: timestamp, operation type, calling service identity, and a request ID that links to the originating edge request.
KEKs are rotated on a schedule or on demand. Rotation re-wraps all existing DEKs under the new KEK without requiring re-encryption of the ciphertext. The rotation is atomic — there is no window during which a key is accessible under both the old and new KEK.
Enterprise plan customers can supply their own KEK via AWS KMS, GCP Cloud KMS, or Azure Key Vault (Customer-Managed Encryption Keys). In this mode, KeyVault Edge never holds the master key — it requests a one-time unwrap grant from the customer's KMS for each request.
Audit logging
Every security-relevant event is written to an append-only audit log: token creation, token rotation, token revocation, key registration, key deletion, failed authentication, rate limit breach, and anomalous usage detection.
Audit logs are written to Supabase with row-level timestamps and are not modifiable after write. Logs are retained for 90 days on the free plan and 1 year on Pro and Team plans.
Paid customers can export audit logs to their own SIEM via structured JSON over HTTPS or S3 export. Splunk HEC, Datadog Logs, and Elastic integrations are on the near-term roadmap.
Still have questions?
Security teams running a procurement evaluation can download our pre-filled vendor questionnaire or email us directly. We respond to security@keyvaultedge.com within one business day.