What This Template Is For
Encryption is the last line of defense when everything else fails. If an attacker gets past your firewall, bypasses your access controls, and reaches your database, encryption determines whether they get usable data or meaningless ciphertext. But encryption only works when it is implemented consistently across every layer of your stack, with properly managed keys that are stored separately from the data they protect.
This template provides a structured approach to planning encryption across your product. It covers four areas: classifying data by sensitivity to determine encryption requirements, selecting algorithms and modes for data at rest and in transit, designing key management procedures, and mapping your encryption implementation to compliance requirements.
Most teams encrypt the database and call it done. That misses encrypted backups, log files containing PII, temporary files on worker nodes, inter-service communication, and data in third-party integrations. This template forces you to inventory every place data lives or moves and apply the right encryption strategy to each.
For a full security posture assessment, the enterprise security review template covers the broader context. The Technical PM Handbook explains how infrastructure decisions like encryption affect product development timelines. If your product needs to pass SOC 2 or ISO 27001, the compliance audit template maps encryption controls to audit requirements.
How to Use This Template
- Classify your data. Identify every data type your product handles and assign a sensitivity level.
- Map the data lifecycle. Trace where each data type is stored, transmitted, and processed.
- Select encryption strategies. Choose algorithms and key sizes for each data state (at rest, in transit, in use).
- Design key management. Define how keys are generated, stored, rotated, and retired.
- Verify compliance mapping. Ensure your encryption plan meets the requirements of applicable frameworks.
The Template
Part 1: Data Sensitivity Classification
Classify every data type by sensitivity level. Each level determines the minimum encryption requirements.
| Sensitivity Level | Description | Examples | Encryption at Rest | Encryption in Transit | Key Management |
|---|---|---|---|---|---|
| Critical | Data that would cause severe harm if exposed (regulatory penalties, identity theft) | Passwords, SSNs, payment card numbers, health records, encryption keys | AES-256 + field-level encryption | TLS 1.3 required | HSM-backed, 90-day rotation |
| High | PII and business-sensitive data | Names, emails, addresses, API keys, session tokens | AES-256 volume encryption | TLS 1.2+ required | KMS-managed, annual rotation |
| Medium | Internal business data | Product usage analytics, internal configs, employee data | AES-256 volume encryption | TLS 1.2+ required | KMS-managed, annual rotation |
| Low | Public or non-sensitive data | Published content, marketing pages, public API docs | Volume encryption (default) | TLS 1.2+ required | Default provider keys |
Data inventory:
| Data Type | Sensitivity | Where Stored | Where Transmitted | Processing Locations | Current Encryption |
|---|---|---|---|---|---|
| User passwords | Critical | PostgreSQL (hashed, not encrypted) | HTTPS login form | Auth service | bcrypt hash (not reversible) |
| Payment card data | Critical | Not stored (Stripe handles) | HTTPS to Stripe API | N/A (delegated) | PCI DSS compliant via Stripe |
| User PII (name, email) | High | PostgreSQL, Elasticsearch | HTTPS, internal gRPC | API, search, email services | Volume encryption (RDS) |
| Session tokens | High | Redis | HTTPS cookies | Auth service | Redis at-rest encryption |
| API keys | Critical | PostgreSQL (hashed) | HTTPS, never logged | API gateway | SHA-256 hash (stored), shown once |
| Uploaded files | High | S3 | HTTPS upload, S3 transfer | Worker nodes | S3 SSE-KMS |
| Analytics events | Medium | ClickHouse | HTTPS, Kafka | Analytics pipeline | Volume encryption |
| Audit logs | High | S3, CloudWatch | HTTPS | Log aggregation | S3 SSE-KMS, CW encryption |
| Backups | Matches source | S3 Glacier | HTTPS, AWS internal | N/A | S3 SSE-KMS (separate key) |
Part 2: Encryption at Rest
Define the encryption strategy for each storage location.
| Storage | Encryption Method | Algorithm | Key Size | Key Provider | Key Rotation | Notes |
|---|---|---|---|---|---|---|
| PostgreSQL (RDS) | Volume encryption | AES-256-GCM | 256-bit | AWS KMS (CMK) | Annual auto-rotation | Encrypts data files, WAL, snapshots |
| Field-level (PII columns) | Application-layer encryption | AES-256-GCM | 256-bit | AWS KMS (separate CMK) | 90-day manual rotation | Envelope encryption: DEK encrypted by CMK |
| S3 (file uploads) | Server-side encryption | AES-256 | 256-bit | AWS KMS (CMK) | Annual auto-rotation | SSE-KMS with bucket policy enforcement |
| S3 (backups) | Server-side encryption | AES-256 | 256-bit | AWS KMS (separate CMK) | Annual auto-rotation | Different key from production data |
| Redis | Volume encryption | AES-256 | 256-bit | AWS managed | AWS managed | ElastiCache at-rest encryption |
| Elasticsearch | Volume encryption | AES-256 | 256-bit | AWS KMS (CMK) | Annual auto-rotation | OpenSearch encryption at rest |
| ClickHouse | Volume encryption | AES-256 | 256-bit | AWS KMS (CMK) | Annual auto-rotation | EBS encryption |
| Local developer machines | Full disk encryption | AES-256 (XTS) | 256-bit | OS-managed (FileVault/BitLocker) | N/A | Required by security policy |
Encryption at rest checklist:
- ☐ All production data stores have encryption at rest enabled
- ☐ Critical-sensitivity fields use application-layer encryption (not just volume encryption)
- ☐ Backup encryption uses a different key than production encryption
- ☐ Encryption is enforced by policy (S3 bucket policy denies unencrypted uploads)
- ☐ Temporary files and swap space are encrypted (or disabled)
- ☐ Development and staging environments use encryption (may use different keys)
- ☐ Encryption configuration is verified by automated tests in CI/CD
Part 3: Encryption in Transit
Define the encryption strategy for each communication path.
| Communication Path | Protocol | Minimum Version | Certificate | HSTS | Certificate Pinning |
|---|---|---|---|---|---|
| User to application | HTTPS | TLS 1.2 | Let's Encrypt (auto-renewed) | Yes, max-age=31536000, includeSubDomains | No (breaks certificate renewal) |
| Application to database | TLS | TLS 1.2 | RDS CA certificate | N/A | Yes (pin to RDS CA root) |
| Service to service | mTLS or TLS | TLS 1.2 | Internal CA (auto-rotated) | N/A | Yes (pin to internal CA) |
| Application to S3 | HTTPS | TLS 1.2 | AWS certificate | N/A | No (AWS manages) |
| Application to Stripe | HTTPS | TLS 1.2 | Stripe certificate | N/A | No (Stripe manages) |
| Webhook deliveries | HTTPS | TLS 1.2 | Recipient's certificate | N/A | No |
| Email (transactional) | TLS | TLS 1.2 (opportunistic) | Provider certificate | N/A | No |
| CI/CD to production | SSH/HTTPS | TLS 1.2, SSH Ed25519 | GitHub Actions OIDC | N/A | N/A |
Encryption in transit checklist:
- ☐ All external endpoints enforce HTTPS (HTTP returns 301 redirect)
- ☐ HSTS is enabled with a minimum max-age of 1 year and includeSubDomains
- ☐ TLS 1.0 and 1.1 are disabled on all endpoints
- ☐ Weak cipher suites are disabled (no RC4, no 3DES, no export ciphers)
- ☐ Database connections require TLS (reject plaintext connections)
- ☐ Internal service communication uses TLS or mTLS (not plaintext within the VPC)
- ☐ Certificate expiration is monitored with alerts at 30, 14, and 7 days before expiry
- ☐ SSL Labs score is A or A+ for all public endpoints
Part 4: Key Management
Define the lifecycle for every encryption key in your system.
Key inventory:
| Key Name | Purpose | Type | Storage | Access Control | Rotation Period | Last Rotated |
|---|---|---|---|---|---|---|
| prod-db-cmk | PostgreSQL volume encryption | KMS CMK | AWS KMS | IAM policy: RDS service role only | Annual (auto) | ___ |
| prod-pii-cmk | Field-level PII encryption | KMS CMK | AWS KMS | IAM policy: app service role only | 90 days (manual) | ___ |
| prod-s3-cmk | S3 file encryption | KMS CMK | AWS KMS | IAM policy: app service role + backup role | Annual (auto) | ___ |
| backup-cmk | Backup encryption | KMS CMK | AWS KMS (separate account) | IAM policy: backup service role only | Annual (auto) | ___ |
| tls-cert | HTTPS encryption | X.509 | ACM / Let's Encrypt | Auto-renewed | 90 days (auto) | ___ |
| internal-ca | mTLS between services | CA cert | HashiCorp Vault | Vault policy: service mesh only | Annual (manual) | ___ |
| hmac-secret | Webhook signature | HMAC key | Secrets Manager | IAM policy: webhook service only | Annual (manual) | ___ |
Key management procedures:
Key Generation
- ☐ Keys are generated using cryptographically secure random number generators (CSPRNG)
- ☐ KMS-managed keys use HSM-backed generation (FIPS 140-2 Level 3)
- ☐ Key generation events are logged and auditable
Key Storage
- ☐ No encryption keys stored in application code, environment variables, or config files
- ☐ All keys stored in dedicated key management services (KMS, Vault, Secrets Manager)
- ☐ Key access is restricted to the specific service role that needs it
- ☐ Emergency break-glass access requires two-person approval
Key Rotation
- ☐ Automated rotation is enabled for all KMS-managed keys
- ☐ Manual rotation procedures are documented and tested annually
- ☐ Rotation does not require application downtime (envelope encryption enables this)
- ☐ Old key versions are retained for decrypting historical data (not deleted immediately)
Key Retirement
- ☐ Retired keys are scheduled for deletion with a 30-day waiting period
- ☐ All data encrypted with a retiring key is re-encrypted with the current key before deletion
- ☐ Key deletion events are logged and require senior engineering approval
Part 5: Compliance Mapping
Map your encryption implementation to the requirements of applicable compliance frameworks.
| Requirement | SOC 2 | ISO 27001 | HIPAA | PCI DSS | GDPR | Your Implementation |
|---|---|---|---|---|---|---|
| Encryption at rest for sensitive data | CC6.7 | A.10.1.1 | 164.312(a)(2)(iv) | Req 3.4 | Art. 32(1)(a) | AES-256 via KMS |
| Encryption in transit | CC6.7 | A.13.1.1 | 164.312(e)(1) | Req 4.1 | Art. 32(1)(a) | TLS 1.2+ enforced |
| Key management procedures | CC6.1 | A.10.1.2 | 164.312(a)(2)(iv) | Req 3.5-3.6 | Art. 32(1)(a) | AWS KMS + Vault |
| Key rotation | CC6.1 | A.10.1.2 | Best practice | Req 3.6.4 | Best practice | Annual auto + 90-day manual |
| Encryption of backups | CC6.7 | A.12.3.1 | 164.312(a)(2)(iv) | Req 3.4 | Art. 32(1)(a) | Separate KMS key |
| Secure key storage | CC6.1 | A.10.1.2 | 164.312(a)(2)(iv) | Req 3.5.2 | Art. 32(1)(a) | HSM-backed KMS |
Filled Example: MedTrack Healthcare SaaS
Product: MedTrack, a healthcare analytics platform processing PHI for 200 hospital systems.
Compliance requirements: HIPAA, SOC 2 Type II, HITRUST CSF
Encryption implementation:
| Layer | Implementation | Key Details |
|---|---|---|
| Database (RDS PostgreSQL) | AES-256 volume encryption + field-level encryption for PHI columns | Volume: KMS auto-rotation. Field-level: 90-day rotation, envelope encryption with per-tenant DEKs |
| File storage (S3) | SSE-KMS with per-customer CMKs | Customer A's files cannot be decrypted by Customer B's key. Required for HIPAA multi-tenancy. |
| Search (OpenSearch) | Node-to-node TLS + at-rest encryption | PHI fields encrypted at application layer before indexing. Search on encrypted fields uses tokenized index. |
| Inter-service | mTLS via Istio service mesh | All service-to-service traffic encrypted. No plaintext within the VPC. |
| Backups | Separate KMS key in separate AWS account | Backup key access requires break-glass approval from two senior engineers. Tested quarterly. |
| Client devices | Enforced via MDM policy | FileVault on macOS, BitLocker on Windows. Verified by Jamf compliance checks. |
Key management lessons learned:
- Initially stored API secrets in environment variables. Migrated to AWS Secrets Manager after a SOC 2 finding.
- Field-level encryption added 3ms of latency per read. Acceptable for their use case, but they cache decrypted values in memory (never to disk) for frequently accessed records.
- Per-tenant encryption keys required careful key hierarchy design. They use a three-level hierarchy: root CMK (KMS), tenant KEK (derived), and field DEK (per-record).
Common Mistakes
- Volume encryption without field-level encryption for sensitive data. Volume encryption protects against physical disk theft. It does not protect against SQL injection, application-layer breaches, or insider threats. Critical data (PII, PHI, payment data) needs application-layer encryption.
- Storing keys alongside the data they protect. If the encryption key is in the same database, S3 bucket, or config file as the encrypted data, a single breach exposes both. Keys must be in a separate system with independent access controls.
- Never rotating keys. Key rotation limits the blast radius of a compromised key. If a key is compromised and has been in use for 5 years, all data encrypted in that period is exposed. With 90-day rotation, only 90 days of data is at risk.
- Encrypting data but not backups. Your database is encrypted, but the nightly backup dump is a plaintext SQL file on an S3 bucket with public read access. Backups must be encrypted with the same rigor as production data (see backup recovery template).
- Ignoring data in transit within your VPC. "It is inside the firewall" is not an encryption strategy. A compromised service inside your network can sniff plaintext traffic between other services. Use TLS or mTLS for all internal communication.
For tracking and remediating the vulnerabilities that could expose your encrypted data, the vulnerability management template covers the full lifecycle.