Skip to main content

Encryption Overview

Rubric implements defense-in-depth encryption to protect sensitive healthcare data throughout its lifecycle. Our encryption architecture meets or exceeds requirements for HIPAA, HITRUST, and SOC 2 compliance.

At-Rest Encryption

AES-256-GCM encryption for all stored data including databases, files, and backups.

In-Transit Encryption

TLS 1.3 for all network communications with certificate pinning support.

Key Management

AWS KMS integration with customer-managed key (CMK) options available.

Key Rotation

Automatic annual key rotation with on-demand rotation capabilities.

Encryption at Rest

All data stored in Rubric is encrypted at rest using AES-256-GCM, the gold standard for symmetric encryption. This includes primary databases, file storage, caches, and backup systems.

Data Storage Encryption

Storage TypeEncryptionKey ManagementNotes
Primary Database (PostgreSQL)AES-256-GCMAWS KMSTransparent data encryption (TDE)
Document Storage (S3)AES-256-GCMAWS KMS / SSE-S3Server-side encryption with CMK option
Audio FilesAES-256-GCMAWS KMSEncrypted before upload, double-encrypted at rest
DICOM StudiesAES-256-GCMAWS KMSPer-study encryption keys
Search Index (OpenSearch)AES-256AWS KMSEncrypted index and logs
Cache (Redis)AES-256-GCMAWS KMSEncrypted in-memory and persistence
BackupsAES-256-GCMAWS KMSCross-region encrypted backups

Database Encryption Configuration

encryption_config.py
from rubric import Rubric
from rubric.security import EncryptionConfig

client = Rubric()

# View current encryption configuration
encryption_status = client.security.encryption.status()

print(f"At-Rest Encryption: {encryption_status.at_rest.enabled}")
print(f"Algorithm: {encryption_status.at_rest.algorithm}")
print(f"Key Provider: {encryption_status.at_rest.key_provider}")
print(f"Key ID: {encryption_status.at_rest.key_id}")
print(f"Last Rotation: {encryption_status.at_rest.last_rotation}")

# Output:
# At-Rest Encryption: True
# Algorithm: AES-256-GCM
# Key Provider: AWS_KMS
# Key ID: arn:aws:kms:us-east-1:123456789:key/abc-123...
# Last Rotation: 2024-01-15T00:00:00Z
Envelope Encryption: Rubric uses envelope encryption where data encryption keys (DEKs) are encrypted by a master key (KEK) stored in AWS KMS. This allows efficient key rotation without re-encrypting all data.

Encryption in Transit

All data transmitted to and from Rubric is protected using TLS 1.3 encryption. We enforce strong cipher suites and support certificate pinning for additional security.

TLS Configuration

ParameterValueNotes
Protocol VersionTLS 1.3 (TLS 1.2 minimum)TLS 1.0/1.1 disabled
Cipher SuitesTLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256AEAD ciphers only
Key ExchangeX25519, secp384r1Perfect forward secrecy
CertificateRSA 4096-bit / ECDSA P-384Extended validation (EV)
HSTSEnabledmax-age=31536000; includeSubDomains
Certificate TransparencyRequiredAll certificates logged to CT

Certificate Pinning

Enterprise customers can configure certificate pinning to prevent man-in-the-middle attacks:
tls_pinning.py
from rubric import Rubric
from rubric.security import TLSConfig

# Configure certificate pinning
tls_config = TLSConfig(
    # Pin to Rubric's certificate public key
    pin_certificates=[
        "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
        "sha256/BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB="  # Backup pin
    ],

    # Minimum TLS version
    min_version="TLS_1_3",

    # Verify certificate chain
    verify_mode="CERT_REQUIRED"
)

client = Rubric(
    api_key="your-api-key",
    tls_config=tls_config
)

Key Management

Rubric uses AWS Key Management Service (KMS) as the foundation for cryptographic key management. Enterprise customers can bring their own keys (BYOK) or use customer-managed keys (CMK).

Customer-Managed Keys (CMK)

cmk_setup.py
from rubric import Rubric
from rubric.security import KeyManagement

client = Rubric()

# Configure customer-managed key
cmk_config = client.security.keys.configure_cmk(
    # AWS KMS key ARN
    key_arn="arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012",

    # Grant Rubric permission to use the key
    grant_operations=[
        "Encrypt",
        "Decrypt",
        "GenerateDataKey",
        "GenerateDataKeyWithoutPlaintext"
    ],

    # Key alias for identification
    alias="rubric-phi-encryption-key",

    # Enable automatic rotation
    auto_rotation=True,
    rotation_period_days=365
)

print(f"CMK configured: {cmk_config.key_id}")
print(f"Status: {cmk_config.status}")
Key Access Requirements: When using customer-managed keys, ensure your KMS key policy grants Rubric’s service role the necessary permissions. Loss of key access will prevent data decryption until access is restored.

Key Rotation

Encryption keys are automatically rotated annually. You can also trigger on-demand rotation:
key_rotation.py
from rubric import Rubric

client = Rubric()

# Check rotation status
rotation_status = client.security.keys.rotation_status()

print(f"Last rotation: {rotation_status.last_rotation}")
print(f"Next scheduled: {rotation_status.next_rotation}")
print(f"Rotation in progress: {rotation_status.rotation_in_progress}")

# Trigger on-demand rotation (requires admin privileges)
rotation_job = client.security.keys.rotate(
    reason="Annual compliance review",
    notify_on_completion=True
)

print(f"Rotation job ID: {rotation_job.id}")

Best Practices

PracticeDescription
Use Customer-Managed KeysFor maximum control, configure CMK through AWS KMS to maintain key custody.
Enable Field-Level EncryptionApply additional encryption to highly sensitive fields like SSN and MRN.
Implement Certificate PinningPrevent MITM attacks by pinning to Rubric’s certificates in production.
Regular Key RotationEnable automatic key rotation and review rotation logs quarterly.
Audit Encryption StatusRun encryption audits monthly and before compliance reviews.
Monitor TLS VersionsEnsure all clients connect using TLS 1.3; sunset TLS 1.2 when possible.

Troubleshooting

IssueCauseSolution
Key access deniedKMS key policy missing Rubric roleUpdate KMS key policy to grant rubric-service-role permissions
TLS handshake failedClient using outdated TLS versionUpdate client to support TLS 1.2+ (preferably TLS 1.3)
Certificate pin mismatchCertificate rotated without pin updateUpdate pinned certificate hashes in client configuration
Decryption failedKey rotation in progressWait for rotation to complete or use previous key version