Security & Encryption
How Sumo protects your wallet keys with enterprise-grade encryption.
Sumo takes wallet security seriously. Your seed phrases and private keys are protected with multiple layers of encryption, and never exist in plaintext in the application database.
Encryption Architecture
Envelope Encryption
Sumo uses envelope encryption — a two-layer encryption scheme:
- Data Encryption Key (DEK) — Each seed/key is encrypted with its own unique AES-256-GCM key
- Key Encryption Key (KEK) — The DEK is itself encrypted with a master key stored in a hardware security module (HSM) or Kubernetes secret
This means even if the database is compromised, the encrypted seeds are useless without the KEK.
AES-256-GCM
All encryption uses AES-256-GCM, which provides:
- 256-bit encryption strength
- Authenticated encryption (tamper detection)
- Unique nonce per encryption operation
Key Storage
- Seed phrases and private keys — Encrypted at rest in the database, never in plaintext
- Master keys (KEK) — Stored in HashiCorp Vault, AWS KMS, or Kubernetes secrets — never in the application database
- Transaction signing — Handled by a dedicated Rust signing service that decrypts keys only in memory for the duration of signing
Signing Service
Transaction signing runs in a separate, isolated Rust service. This service:
- Decrypts keys only in memory, only when needed
- Signs transactions and immediately discards the plaintext key
- Runs as a separate process with restricted network access
- Never exposes private keys to the main application
Zero Plaintext Storage
At no point do plaintext private keys or seed phrases exist in Sumo's application database, logs, or API responses. Keys are decrypted only in the signing service's memory for the brief moment needed to sign a transaction.
Multi-Tenant Isolation
Each organization's wallets and seeds are cryptographically isolated:
- Seeds are scoped to the organization that created them
- Cross-organization access is enforced at the database, API, and encryption layers