AWS KMS Envelope Encryption
A two-layer encryption pattern where each piece of data is encrypted with a unique data key, and that data key is itself encrypted by a master key in AWS KMS. Combines KMS's audit / rotation guarantees with the throughput of local encryption.
AWS KMS Envelope Encryption
Envelope encryption is the standard pattern for encrypting data at rest with AWS KMS. Instead of calling KMS to encrypt every byte (slow, expensive), the application generates a fresh symmetric data key (DEK) per record, encrypts the data locally with AES-GCM-256 using the DEK, then asks KMS to encrypt the DEK with a Customer Master Key (CMK). The encrypted DEK is stored alongside the ciphertext. To decrypt, KMS decrypts the DEK once and the application decrypts the payload locally.
VULK uses envelope encryption for every secret stored in vulk-api-engine — BYOM API keys, OAuth refresh tokens, deploy credentials, customer-supplied environment variables. The CMK lives in AWS KMS in eu-central-1 with rotation enabled and a strict IAM policy. KMS audit logs (CloudTrail) record every Decrypt call, so the trail of who accessed which secret is preserved.
Cloudflare R2
Cloudflare's S3-compatible object storage with zero egress fees. VULK uses R2 to store generated assets (videos, 3D models, images, exported ZIPs) and serve them globally from the Cloudflare edge.
Argon2id
The OWASP-recommended password hashing algorithm — winner of the 2015 Password Hashing Competition. Combines memory-hardness (Argon2d) with side-channel resistance (Argon2i). VULK hashes every user password with Argon2id in vulk-api-engine.