Skip to main content

Data model

Workspace

Your organization, with its own encryption key, members, and security settings.

Set

A group of keys for a project or environment such as dev, staging, or prod.

Key

An API key with a name, encrypted value, authorized domain, and optional expiration.

Envelope encryption

Elding uses two levels of keys:
  • KEK (MASTER_ENCRYPTION_KEY): the server-side master key.
  • DEK: a unique AES-256 key for each workspace, stored encrypted by the KEK.
An API key is encrypted with AES-256-GCM using its workspace DEK. A random IV is created for every encryption operation, and the GCM authentication tag protects integrity.
If the KEK leaks, each DEK is still required to decrypt workspace data. If a DEK leaks, only one workspace is affected. Keys can also be rotated without re-encrypting everything.

Status and circuit breaker

A set can be disabled by marking it INACTIVE. Its secrets are immediately unavailable through the CLI and the web reveal interface. This is an instant, reversible circuit breaker.

The golden rule

A secret value is never logged, either in plaintext or in proxy logs. Only secret names may appear.