-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathsecurity.yaml
More file actions
471 lines (405 loc) · 18.2 KB
/
Copy pathsecurity.yaml
File metadata and controls
471 lines (405 loc) · 18.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
# =============================================================================
# ThemisDB Security Configuration
# Version: 1.4.2
# =============================================================================
#
# This file contains security-related configuration for ThemisDB.
# Proper configuration is CRITICAL for production deployments.
#
# =============================================================================
# =============================================================================
# HSM (Hardware Security Module) Configuration
# =============================================================================
#
# ⚠️ CRITICAL SECURITY WARNING ⚠️
#
# The Hardware Security Module (HSM) protects master encryption keys.
# Proper HSM configuration is MANDATORY for production deployments.
#
# COMPLIANCE REQUIREMENTS:
# - NIST SP 800-53 SC-12 (Cryptographic Key Establishment and Management)
# - ISO 27001 A.8.24 (Use of Cryptography)
# - PCI DSS Requirement 3.6 (Key Protection)
# - GDPR Article 32 (Security of Processing)
#
# =============================================================================
hsm:
# ═══════════════════════════════════════════════════════════════════════
# HSM Provider Selection
# ═══════════════════════════════════════════════════════════════════════
#
# ⚠️ WARNING: 'stub' provider is INSECURE and for DEVELOPMENT ONLY! ⚠️
#
# The 'stub' provider stores keys in plaintext or with weak protection.
# It does NOT provide hardware-backed security.
#
# Available Providers:
#
# 1. stub (DEFAULT - INSECURE!)
# - For development/testing ONLY
# - Keys NOT protected by hardware
# - Violates compliance requirements
# - Server will log ERROR-level warnings every 5 minutes
#
# 2. pkcs11 (RECOMMENDED for on-premises)
# - Hardware Security Module via PKCS#11 interface
# - Supported devices:
# * Thales Luna HSM
# * Utimaco CryptoServer
# * AWS CloudHSM
# * nCipher nShield
# * SoftHSM2 (testing only)
#
# 3. aws_kms (RECOMMENDED for AWS)
# - AWS Key Management Service
# - FIPS 140-2 Level 2 validated
# - Automatic key rotation
#
# 4. azure_keyvault (RECOMMENDED for Azure)
# - Azure Key Vault
# - FIPS 140-2 validated HSMs
# - Managed service
#
# 5. gcp_kms (RECOMMENDED for GCP)
# - Google Cloud Key Management Service
# - FIPS 140-2 Level 3 HSMs available
# - Integrated with GCP services
#
# 6. vault (RECOMMENDED for HashiCorp environments)
# - HashiCorp Vault Transit Engine
# - Encryption-as-a-Service
# - Multi-cloud support
#
# ═══════════════════════════════════════════════════════════════════════
provider: stub # ⚠️ DEVELOPMENT ONLY - CHANGE FOR PRODUCTION! ⚠️
# ═══════════════════════════════════════════════════════════════════════
# Stub Provider Security Gating (NEW in v1.4.2)
# ═══════════════════════════════════════════════════════════════════════
#
# SECURITY HARDENING: The stub provider now requires explicit opt-in to
# prevent accidental production deployment.
#
# Environment Variables:
#
# 1. THEMIS_ALLOW_HSM_STUB=1
# - Explicitly allows stub provider usage
# - Required in production-like environments
# - Only set for development/testing
#
# 2. THEMIS_PRODUCTION_MODE=1
# - Forces production mode
# - Stub provider will FAIL even with THEMIS_ALLOW_HSM_STUB=1
# - Use to ensure production deployments use real HSM
#
# 3. ENVIRONMENT=production (or NODE_ENV=production)
# - Automatically detected as production environment
# - Requires THEMIS_ALLOW_HSM_STUB=1 to proceed
# - Logs ERROR-level warnings
#
# Behavior:
# - Development (no env vars): Stub allowed with warnings
# - Production indicators detected: Fails without THEMIS_ALLOW_HSM_STUB=1
# - THEMIS_PRODUCTION_MODE=1: Always fails with stub
#
# See: docs/security/HSM_PRODUCTION_SETUP.md
# ═══════════════════════════════════════════════════════════════════════
# ═══════════════════════════════════════════════════════════════════════
# PKCS#11 Configuration (for 'pkcs11' provider)
# ═══════════════════════════════════════════════════════════════════════
#
# ⚠️ IMPORTANT: PKCS#11 Header Strategy (NEW in v1.4.2) ⚠️
#
# ThemisDB uses a two-tier PKCS#11 header approach:
#
# 1. DEVELOPMENT: pkcs11_minimal.h (built-in, limited)
# - For local development and testing
# - Works with SoftHSM2
# - Missing vendor-specific features
# - Build with: cmake (default)
#
# 2. PRODUCTION: Vendor PKCS#11 headers (required)
# - Install HSM vendor SDK first
# - Full PKCS#11 functionality
# - Vendor-specific extensions
# - Build with: cmake -DTHEMIS_USE_VENDOR_PKCS11=ON
#
# Vendor SDK Installation:
# Thales Luna: Luna HSM Client SDK
# AWS CloudHSM: CloudHSM Client SDK
# Utimaco: CryptoServer SDK
# nCipher: nShield SDK
#
# See: docs/security/PKCS11_INTEGRATION.md
# ═══════════════════════════════════════════════════════════════════════
pkcs11:
# Path to PKCS#11 library
# Examples:
# Thales Luna: /usr/lib/libCryptoki2_64.so
# AWS CloudHSM: /opt/cloudhsm/lib/libcloudhsm_pkcs11.so
# SoftHSM2: /usr/lib/softhsm/libsofthsm2.so (testing only)
library_path: ""
# HSM slot ID (usually 0 for single-slot devices)
slot_id: 0
# User PIN for HSM authentication
# ⚠️ NEVER commit PIN to version control! ⚠️
# Use environment variable: THEMIS_HSM_PIN
# Or secure secrets management (Vault, AWS Secrets Manager, etc.)
pin: ""
# Optional: Token label for multi-token setups
token_label: ""
# Key label for master key operations
key_label: "themis-master-key"
# Signature algorithm
signature_algorithm: "RSA-SHA256"
# Session pool size for concurrent operations
# Increase for high-throughput environments
session_pool_size: 4
# Enable verbose PKCS#11 logging (for troubleshooting)
verbose: false
# ═══════════════════════════════════════════════════════════════════════
# AWS KMS Configuration (for 'aws_kms' provider)
# ═══════════════════════════════════════════════════════════════════════
aws_kms:
# AWS Region
region: "us-east-1"
# KMS Key ARN or Alias
# Example: arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
# Or alias: alias/themis-master-key
key_id: ""
# Optional: Assume IAM role for KMS access
# role_arn: "arn:aws:iam::123456789012:role/ThemisKMSRole"
# ═══════════════════════════════════════════════════════════════════════
# Azure Key Vault Configuration (for 'azure_keyvault' provider)
# ═══════════════════════════════════════════════════════════════════════
azure_keyvault:
# Key Vault URL
# Example: https://themis-vault.vault.azure.net/
vault_url: ""
# Key name in Key Vault
key_name: "themis-master-key"
# Authentication method: managed_identity, service_principal, or cli
auth_method: "managed_identity"
# For service_principal auth:
# tenant_id: ""
# client_id: ""
# client_secret: "" # Use env var: AZURE_CLIENT_SECRET
# ═══════════════════════════════════════════════════════════════════════
# Google Cloud KMS Configuration (for 'gcp_kms' provider)
# ═══════════════════════════════════════════════════════════════════════
gcp_kms:
# GCP Project ID
project_id: ""
# KMS Location (region)
location: "us-central1"
# Key Ring name
key_ring: "themis-keyring"
# Key name
key_name: "themis-master-key"
# Optional: Service account key file path
# Leave empty to use Application Default Credentials (recommended)
# credentials_file: ""
# ═══════════════════════════════════════════════════════════════════════
# HashiCorp Vault Configuration (for 'vault' provider)
# ═══════════════════════════════════════════════════════════════════════
#
# ⚠️ IMPORTANT: VaultSigningProvider Limitation (NEW in v1.4.2) ⚠️
#
# VaultSigningProvider is a SIGNING-ONLY provider:
# ✅ Supports: sign(), verify() operations
# ❌ Does NOT support: getKey(), rotateKey(), listKeys(), etc.
#
# PURPOSE:
# - Sign data using Vault Transit Engine
# - Keys never leave Vault (enhanced security)
# - Minimal permissions required
#
# FOR FULL KEY MANAGEMENT:
# Use VaultKeyProvider instead (separate implementation)
# Or use Vault CLI/API directly for key operations
#
# FEATURE FLAG:
# Set THEMIS_VAULT_SIGNING_ONLY=1 to acknowledge this limitation
#
# See: docs/security/VAULT_SIGNING_PROVIDER.md
# ═══════════════════════════════════════════════════════════════════════
vault:
# Vault server URL
address: "https://vault.example.com:8200"
# Transit engine mount path
mount_path: "transit"
# Key name in transit engine
key_name: "themis-master-key"
# Authentication method: token, approle, kubernetes, or aws
auth_method: "token"
# For token auth (use env var: VAULT_TOKEN)
# token: ""
# For AppRole auth:
# role_id: ""
# secret_id: "" # Use env var: VAULT_SECRET_ID
# Enable TLS verification (set false only for testing)
tls_verify: true
# =============================================================================
# Production Mode Settings
# =============================================================================
#
# Production mode enforces stricter security requirements.
# Set via environment variable: THEMIS_PRODUCTION_MODE=true
#
# When production mode is enabled:
# - HSM stub provider is BLOCKED by default
# - Override with --allow-stub-hsm flag (NOT RECOMMENDED)
# - Periodic security checks run every 5 minutes
# - Enhanced audit logging enabled
#
# =============================================================================
# =============================================================================
# Additional Security Settings
# =============================================================================
# Enable field-level encryption
field_encryption:
enabled: true
# Encryption algorithm (AES-256-GCM recommended)
algorithm: "AES-256-GCM"
# Access control settings
access_control:
# Enable Role-Based Access Control (RBAC)
rbac_enabled: true
# Require authentication for all operations
require_authentication: true
# Session timeout (minutes)
session_timeout: 60
# Audit logging
audit:
# Enable audit logging
enabled: true
# Audit log path
log_path: "./logs/audit.log"
# Log retention (days)
retention_days: 365
# Log sensitive operations
log_sensitive_operations: true
# TLS/SSL Configuration
tls:
# Enable TLS for all connections
enabled: true
# Certificate path
cert_file: "./certs/server.crt"
# Private key path
key_file: "./certs/server.key"
# CA certificate for client verification
ca_file: "./certs/ca.crt"
# Minimum TLS version (1.2 or 1.3)
min_version: "1.3"
# Require client certificates
require_client_cert: false
# =============================================================================
# AI Safety Layer Configuration
# =============================================================================
#
# Protects production databases from uncontrolled destructive operations by
# AI agents (MCP clients, AI Orchestrator, agentic LLM pipelines).
#
# Background: Cursor AI incident (April 2026) — an AI agent deleted a production
# database without approval, snapshot, or environment differentiation.
#
# Full documentation: docs/de/security/ai_safety/AI_SAFETY_ARCHITECTURE.md
# Developer reference: src/security/AI_SAFETY_ARCHITECTURE.md
#
# ⚠️ PRODUCTION RECOMMENDATION ⚠️
# Set environment.name: production and block_destructive: true for all
# production deployments that expose MCP or AI Orchestrator endpoints.
#
# =============================================================================
environment:
# Deployment environment: production | staging | development
# Controls strictness of AI agent restrictions.
# Can be overridden via THEMIS_ENVIRONMENT environment variable.
name: development
ai_agent_restrictions:
# Hard-block ALL DESTRUCTIVE-class AI operations (no approval possible).
# Recommended: true in production, false in staging/development.
block_destructive: false
# Require human approval for DESTRUCTIVE and CRITICAL operations.
# Even when block_destructive is false, approval is still enforced.
require_approval: false
# Collection whitelist: AI agent may only modify listed collections.
# Empty list = all collections allowed (restricted further by denied_collections).
allowed_collections: []
# Collection blacklist: AI agent can NEVER write/delete these collections,
# even with operator approval. Hard-coded enforcement, no bypass.
# Recommended entries for production: users, audit_log, billing, _system
denied_collections: []
# RBAC role required to approve CRITICAL operations in production.
# CRITICAL operations remain hard-blocked if no role is configured.
# Assign only to DBA/platform-admin accounts, never to AI agents themselves.
require_role_for_critical: "AI_DESTRUCTIVE_PRODUCTION_OPS"
# Maximum AI-initiated operations per hour (rate limiting).
# 0 = unlimited
max_operations_per_hour: 0
# Maximum number of pending approval requests at one time.
# New operations are rejected if this limit is reached.
max_pending_approvals: 50
# AI Safety snapshot configuration
ai_safety:
snapshot:
# Directory where pre-operation RocksDB checkpoints are stored.
# Must be on the same filesystem as the data directory for hardlink support.
dir: "/var/themis/ai-snapshots"
# How long snapshots are retained before automated cleanup.
retention_days: 7
# Maximum total size of all snapshots combined (GiB).
# When exceeded, oldest snapshots are deleted first.
max_total_size_gb: 100
# Verify snapshot integrity with hash check after creation.
verify_on_create: true
# Cron schedule for snapshot cleanup job.
cleanup_schedule: "0 3 * * *"
# =============================================================================
# PRODUCTION CONFIGURATION EXAMPLE
# =============================================================================
#
# Uncomment and adapt for production deployments:
#
# environment:
# name: production
# ai_agent_restrictions:
# block_destructive: true
# require_approval: true
# allowed_collections: []
# denied_collections:
# - users
# - audit_log
# - billing
# - _system
# - _graphs
# require_role_for_critical: AI_DESTRUCTIVE_PRODUCTION_OPS
# max_operations_per_hour: 100
# max_pending_approvals: 10
#
# ai_safety:
# snapshot:
# dir: "/var/themis/ai-snapshots"
# retention_days: 7
# max_total_size_gb: 100
# verify_on_create: true
#
# =============================================================================
# =============================================================================
# Documentation and Support
# =============================================================================
#
# For detailed HSM setup instructions, see:
# - docs/security/HSM_PRODUCTION_SETUP.md
# - docs/security/COMPLIANCE_GUIDE.md
# - docs/security/SECURITY_BEST_PRACTICES.md
#
# For troubleshooting:
# - Check logs: ./logs/themis_server.log
# - Enable verbose HSM logging: hsm.pkcs11.verbose: true
# - Contact support: security@themisdb.com
#
# Security audit reports:
# - docs/audit-reports/v1.4.1/FINDINGS_AND_RISKS.md
# - docs/audit-reports/v1.4.1/SECURITY_CONTROLS_AUDIT.md
#
# =============================================================================