Master Key Encryption Key

MoonRamp uses a key encryption key scheme to uniquely encrypt all records independently of the underlying data store. The Master Key Encryption Key is a 256 bit key used to protect all data MoonRamp manages.

When the program boots, it will use the provided Master Key Encryption Key to create or decrypt the current Key Encryption Key. The Master Key Encryption Key will be purged from memory and the Key Encryption Key held in memory to decrypt Encryption Key records that are in turn used to decrypt specific record data.

This means that all data is secured via the Master Key Encryption Key. As such, if this key is lost ALL DATA will be lost! To repeat this any hot wallets managed by the system will be UNRECOVERABLE if the Master Key Encryption Key is lost.

MoonRamp uses Rust Crypto.

Rotating the Master Key Encryption Key

TODO¹

Rotating the Key Encryption Key

TODO²

Shamir Secret Sharing

TODO³

Encryption Stack

MoonRamp recommends a holistic approach to securing your data.

For the highest level of security Merchants should:

• Maintain network firewall configurations to minimize network traffic to host running your data store and MoonRamp
• Run MoonRamp as a non-root user
• Run your data store on seperate hosts as a non-root user
• Enable full disk encryption for both your data store and MoonRamp hosts
• Enable transparent encryption for your data store (Sqlcipher, pgcrypto, etc)
• Run all network traffic with TLS
• Utilize cold wallet support for high risk scenarios