Key Hierarchy

Derived Key Tree

Master Key (stored in KMS — AWS, GCP, Azure, or S3)
│
├── HKDF("arcan-dek-v1")
│   └── Data Encryption Key (DEK) — encrypts secrets at rest (AES-256-GCM)
│
├── HKDF("arcan-audit-hmac-v1")
│   └── Audit HMAC Key — integrity chain for audit log entries
│
├── HKDF("arcan-plugin-auth-v1")
│   └── Plugin Auth Key — authenticates plugin runtime sessions
│
└── Separate: Registry Signing Keys (Ed25519, not derived from master key)
    ├── Official key — public key embedded in core binary
    └── Enterprise key — distributed with activation, stored in license.json

HKDF Derivation

All derived keys use HKDF-SHA256 (RFC 5869) with distinct info strings. This ensures:

1. One master key feeds all derived keys
2. Compromising one derived key does not compromise others
3. Rotating the master key rotates all derived keys

func deriveKey(masterKey []byte, info string) ([]byte, error) {
    hkdf := hkdf.New(sha256.New, masterKey, nil, []byte(info))
    key := make([]byte, 32)
    if _, err := io.ReadFull(hkdf, key); err != nil {
        return nil, fmt.Errorf("deriving key for %s: %w", info, err)
    }
    return key, nil
}