Skip to content
Zenvara Docs

Security Review

The platform’s surface is small enough that most security questions have direct answers. This is the checklist a buyer can hand to a security team.

Secrets at rest

Section titled “Secrets at rest”

AES-256-GCM with a 256-bit key, derived via PBKDF2 with 100,000 SHA-256 iterations when password-based. Stored in an encrypted file or HashiCorp Vault. The encrypted file (auth/secrets.enc) is never git-tracked.

Secrets in flight

Section titled “Secrets in flight”

TLS terminates at the reverse proxy. Secret values are JSON-encoded for transport between platform and Vault and are never logged.

Encryption key management

Section titled “Encryption key management”

Three documented key sources — direct base64, file path, or PBKDF2 password. Rotation is a single CLI call followed by a service restart.

Audit completeness and retention

Section titled “Audit completeness and retention”

Every mutation is logged (see Roles & API Keys). Retention is sink-driven; ship to your SIEM via Serilog. The local file sink is for troubleshooting, not long-term forensics.

Role separation

Section titled “Role separation”

Four built-in roles plus per-permission verbs — principle of least privilege from day one.

Secrets policy enforcement

Section titled “Secrets policy enforcement”

Path-based access rules are separate from user roles, so a dev flow cannot reach prod secrets even if the invoking user has admin rights. See Secrets.

Network exposure

Section titled “Network exposure”

Kestrel binds to localhost by default. A reverse proxy (nginx, IIS) terminates TLS; mTLS at the edge is supported. The no-git developer overlay (/api/v1/local/...) must be disabled and rejected at the edge in production.

Vulnerability disclosure and patch cadence

Section titled “Vulnerability disclosure and patch cadence”

Single-binary upgrades — stop, swap, start. The data/ directory is forward-compatible across point releases; schema migrations, when they happen, are documented in release notes.

Checklist summary

Section titled “Checklist summary”
  • Secrets at rest: AES-256-GCM / Vault.
  • Secrets in flight: TLS at the proxy; never logged.
  • Encryption key source chosen and rotation rehearsed.
  • Audit log shipped to SIEM.
  • Roles assigned with least privilege.
  • Secrets policy separates dev from prod credentials.
  • Kestrel behind a TLS-terminating reverse proxy; /api/v1/local/... rejected.
  • Upgrade/rollback runbook written.

Items not on this list are worth a conversation early.