Zero-Trust Execution
Bauxite Intercept is designed to operate in environments where data persistence is a primary security liability. Our Zero-Trust Architecture provides a “Deterministic Proof of Non-Leaking,” ensuring that sensitive data is handled according to strict organizational tiers.
The Stateless Continuum
Bauxite supports two distinct modes of execution depending on your regulatory and functional requirements:
1. Pure Volatile Mode (Open Core / Stateless)
In this mode, Bauxite acts as a truly stateless conduit.
- No Disk I/O: The process never attempts to write to the local filesystem.
- Memory-Only Vault: PII mappings live strictly in RAM and are zero-filled (explicitly wiped) immediately after request completion.
- Rootless: Optimized for
readOnlyRootFilesystem: truecontainer environments.
2. Governance Mode (Shield / Fortress / Stateful)
When Audit Persistence is required (e.g., SOC2/HIPAA), Bauxite introduces a Controlled Disk Boundary.
- Encrypted Persistence: Only metadata and context placeholders are written to an AES-GCM encrypted SQLite database.
- PII Isolation: The original sensitive data (the raw PII) still lives only in RAM and is NEVER persisted to disk.
- Identity Enforcement: mTLS ensures that only verified clients can establish the initial trust connection.
Core Guarantees
| Guarantee | Open Core Implementation | Shield/Fortress Implementation |
|---|---|---|
| Disk Writes | Blocked (SIGKILL on attempt) | Encrypted Metadata Only |
| PII Persistence | Zero (RAM only) | Zero (RAM only) |
| Audit Trails | Volatile (1-hour buffer) | Persistent (Encrypted SQLite) |
| Memory Isolation | Hard 20MB Straitjacket | Hard 20MB Straitjacket |
Hardening the Deployment
To enable full Zero-Trust protections, we recommend the following OS-level constraints:
1. Disable OS Swap
To prevent sensitive data in RAM from being paged to disk by the kernel, disable swap on the host:
sudo swapoff -a2. Read-Only Root Filesystem
Run the container with a read-only root to prevent any unauthorized binary modification:
securityContext:
readOnlyRootFilesystem: trueVerification
You can verify that raw PII is not touching the disk by running a search on the sidecar’s storage after sending a sensitive prompt:
# Search for a known string (e.g., '[email protected]') in the container storage
grep -r "[email protected]" /app/data
# Expected Output: (No results)