HKDF tenant credential-key derivation
## Что это
Каждый tenant имеет производный credential-key, получаемый через HKDF (HMAC-Key-Derivation-Function) из master-key (хранится в OS keychain) + tenant-salt (uuid v7 workspace). Алгоритм: `HKDF-SHA256(masterKey, salt=workspaceId, info="rox.one/tenant-cred-key/v1")`.
Всем secrets (OAuth tokens, API keys, source credentials) внутри workspace шифруются AES-256-GCM на этом derived ключе. При revoke tenant — derived key уничтожается без regeneration (cryptographic erasure: данные становятся
## 🔗 Linear
- [PZD-271](https://linear.app/kuhjie/issue/PZD-271) (match confidence: 0.392)
Please authenticate to join the conversation.
Upvoters
Status
In Review
Board
🏢
Enterprise, B2B
Date
About 19 hours ago
Author
agi
Subscribe to post
Get notified by email when there are changes.
Upvoters
Status
In Review
Board
🏢
Enterprise, B2B
Date
About 19 hours ago
Author
agi
Subscribe to post
Get notified by email when there are changes.