BAUXITENETWORKS
DOCS security cryptography
Support
# Security: Sovereign Identity & Encryption

Bauxite Mesh is built on "Sovereign-First" security principles, ensuring that identity and encryption keys never leave the edge device.

## Sovereign Identity
When a node joins the mesh, it generates its own cryptographic identity. The node
maintains **two** independent keypairs, both generated locally:

1. **Core Identity** (persisted in `identity.bin`):
   - **Ed25519** (`SoftwareSigner`): Used for node-to-node authentication, message
     signing, and Hub registration. Implemented via `ed25519-dalek`.
   - **X25519** (`StaticSecret`): Used for Diffie-Hellman key exchange during
     P2P session establishment, wrapped in a secure `MemoryLockedKey` to prevent swapping and cold-boot extraction. Implemented via `x25519-dalek`.

2. **mTLS Identity** (persisted as `node.key` / `node.crt`):
   - **Ed25519**: Generated during provisioning via `generate_node_csr()`.
     The node sends a Certificate Signing Request (CSR) to the Control Plane and
     receives a signed mTLS certificate. The private key is never transmitted.
     This keypair is used exclusively for gRPC/TLS authentication with the Hub.

- **Key Rotation**: `SecureChannel` supports atomic key rotation via
  `rotate_keys_atomic()`, deriving fresh `ChaCha20Poly1305` encryptor/decryptor
  pairs from the X25519 shared secret.

## Peer-to-Peer Encryption
All data traffic between nodes is encrypted using high-performance AEAD ciphers.
- **Default Cipher**: **ChaCha20-Poly1305** is the default for its exceptional speed on edge hardware without specialized AES instructions (implemented in `secure_channel.rs`).
- **FIPS 140-3 Mode**: When compiled with the `fips` feature flag (which forwards to `bauxite-conduit/fips` → `aws-lc-rs/fips`), the `SecureChannel` enforces **AES-256-GCM** and disables non-compliant ciphers. This is a compile-time-only toggle.
- **Session Keys**: Established via X25519 Diffie-Hellman during ICE session negotiation.
- **Perfect Forward Secrecy**: Each ICE session uses ephemeral X25519 keypairs, and `rotate_keys_atomic()` can derive fresh keys mid-session.
- **Authentication**: Every packet is verified for integrity and authenticity via the AEAD tag before being processed.

## Post-Quantum Security

Bauxite Mesh features hybrid post-quantum key exchange combining classical X25519 key exchange with post-quantum **ML-KEM-768** key encapsulation (compliant with FIPS 203) using the `ml-kem` crate. When the `post-quantum` feature flag is enabled, nodes dynamically negotiate hybrid keys during P2P signaling to protect traffic against future harvest-now-decrypt-later attacks.

## Enterprise SDP: The CISO Kill-Switch
Bauxite Mesh provides centralized control over a distributed, peer-to-peer network. While data travels directly between nodes, the authorization to form those tunnels is centrally governed by `bauxite-dispatch`.
- **Identity-First Networking**: A node cannot establish a session with another node without a valid, signed authorization from the Hub.
- **Instant Revocation**: If a security threat is detected or a node is decommissioned, the Hub can issue a `PEER_REVOKE` signal via the signaling relay (`/api/admin/identity/revoke` endpoint).
- **Tunnel Collapse**: Upon receiving a revocation signal (handled in `signaling.rs`), the Bauxite Agent collapses the relevant P2P tunnels, closes active agents, and purges session state for the revoked peer.

## Data Loss Prevention (DLP)

> **Feature Flag**: Requires `dlp` (part of the `hardened` product tier).

Bauxite incorporates basic **Data Loss Prevention (DLP)** into its telemetry stream:
- **On-Device Anonymization**: The `anonymize_metrics_and_events()` function (`bauxite/src/telemetry.rs:208`) scrubs IP addresses from log lines using a regex pattern before transmission.

> **Note**: The DLP module is a minimal implementation. Advanced PII scrubbing and structured compliance logging are planned features.

## Automated Compliance & Certification

Bauxite Mesh provides the technical evidence required for SOC2, ISO 27001, and ITAR compliance:
- **FIPS 140-3 Enforcement**: When compiled with the `fips` feature, the Bauxite Agent strictly enforces FIPS-validated cryptographic modules (AES-256-GCM) and disables all non-compliant fallback ciphers.
- **SBOM Verification**: A CycloneDX SBOM compliance verification script (`scripts/verify_compliance.sh`) is provided for checking dependency licenses against enterprise policy. Additionally, a runtime `SbomValidator` verifies the hash of active binaries and dependencies against the CycloneDX SBOM manifest at boot time to detect unauthorized file replacements.
- **Tamper-Evident Boot**: On nodes with hardware attestation enabled (via `verify_pcr_measurements()` in `identity.rs`), the agent verifies the host's integrity before connecting to the Hub, preventing nodes with tampered boot states from joining the mesh.