Per-tenant HKDF key derivation. KEK never on disk. The compromise of one tenant can never decrypt another.
CyVault is a credential vault built on HashiCorp Vault Raft 3-node + Transit envelope encryption. Per-tenant keys derived via HKDF โ a leak of one tenant's derived key never compromises another. The Key Encryption Key (KEK) lives only in Vault Transit โ never on disk, never in environment variables, never in memory longer than needed.
Each tenant gets HKDF-derived keys. A compromise of one tenant cannot decrypt another. Master key stays in Vault Transit, never touches disk.
Cloud provider passwords (AWS, Azure, GCP) encrypted at rest per-tenant. Vault Transit Phase 3 promoted in production.
Every CyDusk ticket wrapped with AES-256-GCM before Redis persist. Closes the plaintext-credential vulnerability that most VDI brokers ship with.
Per-session DEK wrapped via Vault Transit. Recordings cryptographically tied to session metadata, decryption requires Vault access.
Rotate KEK; old DEKs still decrypt. Background re-encrypt without taking the system offline.
Built on Vault Raft + Transit; integrated with the rest of CyMesh. No separate vault product to deploy and operate.
Tenant ID + master key โ derived key. No cross-tenant blast radius.
KEK never on disk, never in env. Only Vault Transit knows the master.
Rotate KEK; old DEKs still decrypt. Background re-encrypt without downtime.
HashiCorp Vault foundation with 3-node Raft consensus for high availability.
Every secret access logged with actor, intent, justification. Immutable, 365-day retention.
Secrets injected into the session, never returned to the caller as plaintext.
30-day proof of concept on two idle servers. We bring the SE. You bring the use case.