Encryption
GoValid uses strong encryption to protect sensitive data in QR codes and during transmission.
Encryption Overview
| Layer | Technology | Purpose |
|---|---|---|
| Transport | TLS 1.3 (HTTPS) | Data in transit |
| QR Data | AES-256-GCM (NIST SP 800-38D) | All security levels |
| Metadata | ChaCha20-Poly1305 / AES-256-GCM | Secure and Enterprise QR |
| Signatures | HMAC-SHA256 / Ed25519 | Integrity and non-repudiation |
| Attachments | AES-256-GCM with managed keys | File attachments |
| Storage | AES-256 | Database encryption |
| Credentials | Managed secrets service | API keys, secrets |
QR Code Encryption by Level
Smart QR
- Token: HKDF-SHA256 (96-bit)
- Signature: HKDF-HMAC-SHA256 (128-bit, v2)
- QR data: AES-256-GCM (NIST SP 800-38D)
- Attachments: AES-256-GCM with managed keys
- Standard: NIST 2030+ compliant (v2)
Secure QR
- Hash: SHA-256 (FIPS 180-4)
- Compact hash: HMAC-SHA256 (256-bit)
- QR data: AES-256-GCM (NIST SP 800-38D)
- Metadata: ChaCha20-Poly1305 (RFC 8439)
- Compression: zlib level 9
- Attachments: AES-256-GCM with managed keys
Enterprise QR
- Token: Base62 (128-bit)
- Digital signature: Ed25519 (256-bit, RFC 8032)
- QR data: AES-256-GCM (NIST SP 800-38D)
- Metadata: AES-256-GCM (NIST SP 800-38D)
- Private key storage: AES-256-GCM with managed keys
- Compression: zlib level 9
- Attachments: AES-256-GCM with managed keys
TLS (Transport Layer Security)
All communication with GoValid is encrypted with TLS:
- TLS 1.3: Latest version with improved security
- Certificates: Managed and auto-renewed
- CDN: Additional TLS termination
Enforced HTTPS
- All HTTP requests are redirected to HTTPS
- HSTS (HTTP Strict Transport Security) enabled
- Secure cookies with
Secureflag
Database Encryption
Sensitive data in the database is encrypted:
- User credentials: Hashed with bcrypt
- API keys: Encrypted at rest
- Ed25519 private keys: AES-256 encrypted
- Payment information: Tokenized (not stored)
Credential Management
GoValid uses a managed secrets service for:
- Application secret keys
- Database credentials
- JWT signing keys
- Encryption keys
- API credentials for third-party services
File Upload Security
All file uploads are sanitized:
- File type validation
- Malware scanning
- Size limits enforced
- Stored in encrypted object storage
Encryption for API
Request Encryption
All API requests must use HTTPS:
See API Reference for endpoint examples.
Sensitive Data in Requests
When sending sensitive data:
- Use HTTPS only
- Don't log request bodies in production
- Rotate API keys regularly
- Use scoped permissions
Best Practices
- Always use HTTPS: Never send data over HTTP
- Use Secure QR or higher: For sensitive document metadata
- Rotate API keys: Regularly update your API keys
- Protect signing PIN: Never share your Enterprise QR signing PIN
- Monitor access: Review API key usage regularly
Related
- Ed25519 Signatures - Digital signatures
- Security Levels - QR security tiers
- Security Overview - Security architecture