Documentation

Encryption

Encryption at rest, in transit, and at the column level. KMS key management, post-quantum cryptography, and PCI-DSS tokenisation — all built in, zero external libraries.

Encryption in Transit (TLS 1.3)

All network connections use native TLS 1.3 implemented in pure C11:

ComponentAlgorithm
Key exchangeX25519 ECDHE (+ ML-KEM-768 hybrid for PQC)
Key derivationHKDF-SHA-256
Symmetric encryptionAES-256-GCM, ChaCha20-Poly1305
Session tickets0-RTT with replay protection
Handshake time< 2 ms
bash
# Enable TLS
absdb-server --tls-cert /etc/absdb/server.crt --tls-key /etc/absdb/server.key

# Verify TLS from client
psql "host=localhost port=5433 sslmode=require"

Encryption at Rest (Column-Level)

Absolute DB encrypts individual columns with AES-256-GCM:

sql
-- Encrypt a column
ALTER TABLE patients ALTER COLUMN ssn SET (encrypted = true);

-- Data is transparently encrypted on write, decrypted on read
-- Only users with the appropriate role can see plaintext
INSERT INTO patients (name, ssn) VALUES ('Alice', '123-45-6789');
SELECT ssn FROM patients;  -- returns plaintext if authorised
Each encrypted column uses a separate Data Encryption Key (DEK) managed by the built-in KMS. DEKs are wrapped with a master key and rotated annually (or on demand for PCI-DSS compliance).

Key Management (KMS)

FeatureDetails
Key hierarchyMaster Key → DEK per column/tenant
KDFArgon2id (memory-hard, side-channel resistant)
Key wrappingAES-256-GCM envelope encryption
RotationOnline rotation with zero downtime
HSM supportPKCS#11 shim for FIPS 140-3 Level 4 hardware
Per-tenant keysEach tenant gets its own DEK (multi-tenancy isolation)

Post-Quantum Cryptography

Quantum-resistant algorithms are built in for long-term data protection:

FIPS StandardAlgorithmPurpose
FIPS 203ML-KEM-768Key encapsulation (hybrid TLS handshake)
FIPS 204ML-DSA-65Digital signatures (node certs, audit log, WAL)
FIPS 205SLH-DSAHash-based signatures (CA root certs)

PCI-DSS Tokenisation

sql
-- Tokenise a credit card number (FF3-1 format-preserving encryption)
SELECT absdb_pci_tokenise('4111111111111111');
-- Returns: 4738291056473829 (same format, different value)

-- De-tokenise (role-restricted)
SELECT absdb_pci_detokenise(token);
-- Returns: 4111111111111111

Related Documentation

Security Overview Access Control Compliance

Ready to run Absolute DB?

~154 KB binary · zero external dependencies · 2,737 tests passing

Download Free → View Pricing