GH GambleHub

Data Encryption and TLS

1) Threat map and targets

In-transit: traffic interception/modification, MitM, downgrade.
At rest (at-rest): theft of disks/backups, DB/log dumps, insiders.
Keys: leaks of secrets, weak rotation, reuse.
The goal is to ensure confidentiality, integrity and authenticity, with measurable SLOs and managed cryptogagility.

2) Data classification and policy

Classes: Public/Internal/Confidential/Restricted (PII/Finance/PAN).
Tags: 'data. class`, `tenant`, `region`, `retention`.
Mandatory measures: for Restricted - encryption at the field/object level, access log, individual keys per-tenant/region.

3) At-rest encryption

3. 1 Envelope encryption

DEK (Data Encryption Key) encrypts data; KEK/CMK (KMS/HSM) encrypts DEK.
KEK rotation does not require decryption of data - re-wrap DEK.
DEK preferably per-object/party/tenant with short TTL.

3. 2 Levels

Transparent (TDE): disk/tablespaces (PostgreSQL/MySQL/SQL Server). Simple, but without granular control.
At the application level: fields/objects (PAN, secrets) - better for multi-tenant and access minimums.
Storage/clouds: S3/GCS SSE-KMS; for ACID data - FLE (field-level encryption) where possible.

3. 3 Algorithms and modes

AEAD: AES-256-GCM or ChaCha20-Poly1305 (on CPU without AES-NI).
IV/nonce: uniqueness is strictly mandatory; Store next to ciphertext do not repeat.
Hashing: passwords - Argon2id (or scrypt/bcrypt) with salt and iron parameters.
MAC/signatures: HMAC-SHA-256 for integrity or AEAD built-in label.

3. 4 Practice for DB/files

PostgreSQL: pgcrypto/extensions; on write - encrypt sensitive fields in the application.
Mongo/Doc-storages: client-side FLE, keys in KMS.
Backups: individual keys and accessible only from the CI/CD agent; offsite copies - always encrypted.

4) Key management (KMS/HSM/Vault)

Source of truth: KMS/HSM; private keys do not leave the device/service.
Versioning: 'kid', 'purpose', 'alg', 'created _ at', 'rotates _ at'.
Access: least-privilege; separation of duties (SoD).
Rotation: scheduled (3-6 months for signing), event (incident), rotate-on-use for refresh tokens.
Audit: immutable logs: who, when, what signed/decrypted.
Multi-tenant: keys per-tenant/brand/region; BYOK/HYOK if required by customer.

5) In-channel encryption (TLS)

5. 1 Lows

TLS 1. 2 +, preferably TLS 1. 3; HSTS on domains.
Cipher Suites: TLS1. 3 - predefined (AES_256_GCM_SHA384/ CHACHA20_POLY1305_SHA256).
PFS: all key epemern exchanges (ECDHE).
ALPN: HTTP/2 and HTTP/3 (QUIC) include consciously; watch timers.

5. 2 Certificates, OCSP, pinning

OCSP stapling and short chains.
Reuse sessions: TLS tickets with short TTL.
0-RTT (TLS 1. 3): turn on carefully (only idempotent GET).
Pinning: only 'public-key pinning via TSP/Key continuity' in applications/mobiles (not hard HPKP).
mTLS: within the perimeter/between services and partners; SAN qualification.

5. 3 gRPC/HTTP/QUIC

gRPC transmits Deadline and metadata - check and limit per-try timeout.
HTTP/3 (QUIC) accelerates first-byte; check WAF/balancer compatibility.

6) mTLS and service mash

SPIFFE/SPIRE or mesh-CA for automatic issuance of short certificates (7-30 days).
Politicians: who speaks to whom (SVID→SVID), authZ at the L7 level.
Rotation - transparent; revoke via trust-bundle updates.

7) Performance and operation

AES-NI: on servers with support - AES-GCM faster. On mobile/old CPUs - ChaCha20-Poly1305.
TLS tuning: short keys with PFS, but within reasonable limits (P-256/25519); handshake cache.
Batching: minimize small queries; TLS-overhead is proportional to the number of connections.
Offload: TLS on the perimeter (Envoy/NGINX), inside - mTLS in mesh.

8) Secret and log policies

Secrets only in KMS/Vault; in Kubernetes - encryption etcd + KMS provider.
Log barring: keys/tokens/PAN/secrets; masking.
Snapshots/dumps: encrypt and restrict access; monitor key accesses.

9) Configs and examples

9. 1 NGINX (TLS strict profile)

nginx ssl_protocols TLSv1. 2 TLSv1. 3;
ssl_prefer_server_ciphers on;
ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384;
ssl_ecdh_curve X25519:P-256;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

9. 2 Envoy (mTLS to upstream, pseudo)

yaml transport_socket:
name: envoy. transport_sockets. tls typed_config:
common_tls_context:
tls_params:
tls_minimum_protocol_version: TLSv1_2 tls_certificate_sds_secret_configs:
- name: service_cert # client certificate validation_context_sds_secret_config:
name: mesh_ca_bundle # trusted roots

9. 3 Example of using AEAD (pseudo)

pseudo nonce = random(12)
ciphertext, tag = AES256_GCM. encrypt(key=DEK, nonce, aad=tenant    object_id, plaintext)
store(nonce    ciphertext    tag)

10) Rotation and revoked keys

JWKS/' kid 'for JWT; short 'exp'.
Lists' jti '/' sid'for revoking tokens with TTL.
Secrets of HMAC (webhooks): active + canary; reception by both before the deadline.
TLS: T-30/T-7/T-1 alerts, automatic renewal, secure canary.

11) Observability and alerts

Метрики: `tls_handshake_fail_total{reason}`, `tls_version_share`, `cipher_share`, `ocsp_stapling_errors`, `kms_ops_total{op}`, `decrypt_fail_total`, `jwks_kid_share`.
Access logs: protocol/version/cipher (without secrets).
Alerts: expiring certificates, surge 'bad _ record _ mac', growth of "untrusted chains," unsuccessful decryptions.

12) Specifics of iGaming/Finance

PAN-safe streams: tokenization, token-only storage; PAN - at PSP/token store.
PCI DSS: encryption of cardholder data, restricting access to keys, crypto transaction log, network segmentation.
Regionality: Keys and data in the player's region (latency/sovereignty).
Backoffice: mTLS + SSO, short sessions, FIDO2 for admins.

13) Antipatterns

TLS < 1. 2; allowed weak ciphers/RC4/3DES.
Common "eternal" secrets and keys without rotation and 'kid'.
Repeat IV/nonce in GCM (fatal to security).
Logs with secrets/keys/pan data.
Only TDE without encryption of sensitive fields.
HPKP-pinning in prod (risk of "self-locking").
0-RTT on write/non-idempotent queries.

14) Prod Readiness Checklist

  • Data classification and encryption policy (per-class).
  • AEAD (AES-GCM/ChaCha20-Poly1305); unique nonce; Password Argon2id.
  • Envelope encryption: DEK per object/tenant; KEK в KMS/HSM.
  • TLS 1. 2+/1. 3, HSTS, OCSP stapling; a reasonable set of ciphers.
  • mTLS inside; automatic issuance/rotation of short certificates.
  • JWKS/' kid ', short' exp ', lists' jti '; rotation of secrets/serts with overlap.
  • Backups and logs are encrypted; accesses and operations are audited.
  • Dashboards/alerts as per TLS/KMS/JWKS; degradation tests and canary.
  • Documentation: incident procedures (key/cert compromise).

15) TL; DR

Encrypt everywhere: in the channel - TLS 1. 3/1. 2 with PFS and strict perimeter; inside - mTLS. At rest - envelope (DEK/KEK) with keys in KMS/HSM, granularly encrypt sensitive fields. Manage keys via 'kid '/JWKS and regular overlapping rotation, store crypto transaction logs. Choose AES-GCM (or ChaCha20-Poly1305), do not reuse nonce, encrypt backups/logs. For iGaming/PAN, tokenization and PCI-conscious segmentation.

Contact

Get in Touch

Reach out with any questions or support needs.We are always ready to help!

Telegram
@Gamble_GC
Start Integration

Email is required. Telegram or WhatsApp — optional.

Your Name optional
Email optional
Subject optional
Message optional
Telegram optional
@
If you include Telegram — we will reply there as well, in addition to Email.
WhatsApp optional
Format: +country code and number (e.g., +380XXXXXXXXX).

By clicking this button, you agree to data processing.