Encryption in Transit

TLS 1.3 and mTLS for all network communication.

Overview

All network traffic is encrypted:

• External Traffic: TLS 1.3 with strong cipher suites
• Internal Traffic: mTLS (mutual TLS) for service mesh
• Compliance: FIPS 140-2, NIST 800-53 SC-8, FedRAMP
• Certificate Management: Automated rotation with cert-manager

TLS 1.3 Configuration

NGINX (API Gateway)

nginx.conf:

server {
  listen 443 ssl http2;
  server_name gateway.local.bluefly.io;

  # TLS 1.3 only
  ssl_protocols TLSv1.3;

  # Strong cipher suites
  ssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256';
  ssl_prefer_server_ciphers off;

  # Certificates
  ssl_certificate /etc/certs/gateway.crt;
  ssl_certificate_key /etc/certs/gateway.key;
  ssl_certificate_key /etc/certs/gateway.key;

  # OCSP stapling
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_trusted_certificate /etc/certs/ca-chain.crt;

  # Session cache
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;
  ssl_session_tickets off;

  # HSTS
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

  # Security headers
  add_header X-Content-Type-Options "nosniff" always;
  add_header X-Frame-Options "DENY" always;
  add_header X-XSS-Protection "1; mode=block" always;

  location / {
    proxy_pass http://backend;
    proxy_ssl_verify on;
    proxy_ssl_trusted_certificate /etc/certs/ca.crt;
  }
}

Node.js (Express)

server.ts:

import * as https from 'https';
import * as fs from 'fs';
import express from 'express';

const app = express();

const httpsOptions = {
  // TLS 1.3
  minVersion: 'TLSv1.3' as const,
  maxVersion: 'TLSv1.3' as const,

  // Certificates
  key: fs.readFileSync('/etc/certs/server.key'),
  cert: fs.readFileSync('/etc/certs/server.crt'),
  ca: fs.readFileSync('/etc/certs/ca.crt'),

  // Cipher suites
  ciphers: [
    'TLS_AES_256_GCM_SHA384',
    'TLS_CHACHA20_POLY1305_SHA256',
    'TLS_AES_128_GCM_SHA256'
  ].join(':'),

  // Prefer server ciphers
  honorCipherOrder: false,

  // Session resumption
  sessionTimeout: 600,
  ticketKeys: undefined, // Disable session tickets

  // OCSP stapling
  requestOCSP: true
};

const server = https.createServer(httpsOptions, app);

server.listen(3001, () => {
  console.log('HTTPS server running on port 3001');
});

Mutual TLS (mTLS)

Service Mesh Configuration

Istio mTLS Policy:

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: llm-platform
spec:
  mtls:
    mode: STRICT  # Require mTLS for all traffic

---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: mtls-for-all
  namespace: llm-platform
spec:
  host: "*.llm-platform.svc.cluster.local"
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL  # Use Istio-managed certificates

gRPC with mTLS

server.ts:

import * as grpc from '@grpc/grpc-js';
import * as fs from 'fs';

// Load certificates
const serverCert = fs.readFileSync('/etc/certs/server.crt');
const serverKey = fs.readFileSync('/etc/certs/server.key');
const caCert = fs.readFileSync('/etc/certs/ca.crt');

// Create mTLS credentials
const credentials = grpc.ServerCredentials.createSsl(
  caCert,           // CA certificate
  [{
    cert_chain: serverCert,
    private_key: serverKey
  }],
  true              // Check client certificate
);

// Create gRPC server
const server = new grpc.Server();

// Add services
server.addService(AgentMeshService, implementation);

// Start server with mTLS
server.bindAsync(
  '0.0.0.0:50051',
  credentials,
  (err, port) => {
    if (err) throw err;
    console.log(`gRPC server with mTLS running on port ${port}`);
    server.start();
  }
);

client.ts:

import * as grpc from '@grpc/grpc-js';
import * as fs from 'fs';

// Load certificates
const clientCert = fs.readFileSync('/etc/certs/client.crt');
const clientKey = fs.readFileSync('/etc/certs/client.key');
const caCert = fs.readFileSync('/etc/certs/ca.crt');

// Create mTLS credentials
const credentials = grpc.credentials.createSsl(
  caCert,
  clientKey,
  clientCert
);

// Create client
const client = new AgentMeshClient(
  'mesh.local.bluefly.io:50051',
  credentials
);

// Make authenticated call
client.registerAgent({ agentId: 'agent-001' }, (err, response) => {
  if (err) console.error(err);
  else console.log(response);
});

Certificate Management

Cert-Manager (Kubernetes)

ClusterIssuer:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: internal-ca
spec:
  ca:
    secretName: ca-key-pair

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: gateway-tls
  namespace: llm-platform
spec:
  secretName: gateway-tls-secret
  issuerRef:
    name: internal-ca
    kind: ClusterIssuer
  commonName: gateway.local.bluefly.io
  dnsNames:
    - gateway.local.bluefly.io
    - "*.local.bluefly.io"
  duration: 2160h      # 90 days
  renewBefore: 720h    # 30 days before expiration
  privateKey:
    algorithm: RSA
    size: 2048
  usages:
    - digital signature
    - key encipherment
    - server auth
    - client auth

Automatic Rotation

Rotation Schedule:

• Leaf certificates: 90 days
• Intermediate CA: 1 year
• Root CA: 10 years
• Auto-renewal: 30 days before expiration

Rotation Monitoring:

class CertificateMonitor {
  async checkExpiration() {
    const certs = await this.listCertificates();

    for (const cert of certs) {
      const daysUntilExpiry = this.getDaysUntilExpiry(cert);

      if (daysUntilExpiry <= 30) {
        await this.alert({
          severity: 'warning',
          message: `Certificate ${cert.name} expires in ${daysUntilExpiry} days`,
          action: 'renew'
        });
      }

      if (daysUntilExpiry <= 7) {
        await this.alert({
          severity: 'critical',
          message: `Certificate ${cert.name} expires in ${daysUntilExpiry} days!`,
          action: 'urgent_renew'
        });

        // Auto-renew
        await this.renewCertificate(cert);
      }
    }
  }
}

Protocol-Specific Encryption

PostgreSQL SSL

postgresql.conf:

ssl = on
ssl_cert_file = '/etc/certs/server.crt'
ssl_key_file = '/etc/certs/server.key'
ssl_ca_file = '/etc/certs/ca.crt'
ssl_min_protocol_version = 'TLSv1.3'
ssl_ciphers = 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256'
ssl_prefer_server_ciphers = on

Client Connection:

import { Pool } from 'pg';

const pool = new Pool({
  host: 'postgres.local.bluefly.io',
  port: 5432,
  database: 'llm_platform',
  user: 'app_user',
  password: process.env.DB_PASSWORD,
  ssl: {
    rejectUnauthorized: true,
    ca: fs.readFileSync('/etc/certs/ca.crt').toString(),
    cert: fs.readFileSync('/etc/certs/client.crt').toString(),
    key: fs.readFileSync('/etc/certs/client.key').toString()
  }
});

Redis TLS

redis.conf:

tls-port 6380
port 0  # Disable non-TLS

tls-cert-file /etc/certs/redis.crt
tls-key-file /etc/certs/redis.key
tls-ca-cert-file /etc/certs/ca.crt

tls-auth-clients yes
tls-protocols "TLSv1.3"
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

Client Connection:

import Redis from 'ioredis';

const redis = new Redis({
  port: 6380,
  host: 'redis.local.bluefly.io',
  tls: {
    rejectUnauthorized: true,
    ca: fs.readFileSync('/etc/certs/ca.crt'),
    cert: fs.readFileSync('/etc/certs/client.crt'),
    key: fs.readFileSync('/etc/certs/client.key')
  }
});

WebSocket Security

Secure WebSocket (WSS)

Server:

import { WebSocketServer } from 'ws';
import * as https from 'https';

const server = https.createServer(httpsOptions, app);

const wss = new WebSocketServer({
  server,
  verifyClient: (info, callback) => {
    // Verify JWT token
    const token = info.req.headers.authorization?.split(' ')[1];

    jwt.verify(token, publicKey, (err, decoded) => {
      callback(err === null, err ? 401 : 200);
    });
  }
});

wss.on('connection', (ws, req) => {
  console.log('Secure WebSocket connection established');

  ws.on('message', (data) => {
    // Handle encrypted message
  });
});

Client:

const ws = new WebSocket('wss://tracer.local.bluefly.io/stream', {
  headers: {
    Authorization: `Bearer ${jwtToken}`
  },
  rejectUnauthorized: true,
  ca: fs.readFileSync('/etc/certs/ca.crt')
});

VPN (IPSec)

For admin/developer access:

strongSwan Configuration:

conn bluefly-vpn
    keyexchange=ikev2
    ike=aes256-sha256-modp2048!
    esp=aes256-sha256-modp2048!
    dpdaction=clear
    dpddelay=300s
    rekey=yes
    left=%any
    leftauth=eap-mschapv2
    leftid=%any
    right=vpn.bluefly.io
    rightauth=pubkey
    rightsendcert=always
    rightid="CN=vpn.bluefly.io"
    rightsubnet=10.0.0.0/8
    auto=add

Monitoring & Validation

TLS Scanning

testssl.sh:

# Scan TLS configuration
testssl.sh --severity MEDIUM \
  https://gateway.local.bluefly.io

# Check certificate
openssl s_client -connect gateway.local.bluefly.io:443 \
  -showcerts < /dev/null

# Verify TLS 1.3
nmap --script ssl-enum-ciphers -p 443 gateway.local.bluefly.io

Certificate Expiration Monitoring

# Check expiration
echo | openssl s_client -connect gateway.local.bluefly.io:443 2>/dev/null | \
  openssl x509 -noout -enddate

# Prometheus metric
curl -s https://gateway.local.bluefly.io/metrics | \
  grep 'ssl_certificate_expiry_seconds'

Compliance

NIST 800-53 SC-8

SC-8: Transmission Confidentiality and Integrity

All network traffic encrypted (TLS 1.3, mTLS) Strong cipher suites only Certificate-based authentication Perfect Forward Secrecy (PFS) HSTS enabled (HTTPHTTPS redirect)

FedRAMP Requirements

FIPS 140-2 validated crypto Mutual authentication (mTLS) Certificate rotation < 90 days Continuous monitoring Audit logging

Next Steps

• Encryption at Rest
• Secrets Management
• Security Architecture
• NIST 800-53 Controls