Security
Arcan is designed with defense-in-depth. Every layer — encryption, authentication, authorization, transport, and audit — is enforced by default with no opt-out.
Encryption at Rest
All secrets are encrypted with AES-256-GCM before being written to the database. Encryption keys are derived using HKDF-SHA256 (RFC 5869) from a master key that is managed separately from the data store. The master key supports integration with external KMS providers (AWS KMS, Azure Key Vault, GCP Cloud KMS, HashiCorp Vault Transit) for production deployments.
TLS Everywhere
TLS is required in all deployment modes — there is no insecure mode. On first startup, Arcan auto-generates an internal Certificate Authority and a server certificate. Production deployments can provide their own certificates.
Minimum TLS version: 1.2.
Authentication
Arcan supports multiple authentication methods:
- API tokens — persistent tokens with configurable scopes and expiry
- JWT — short-lived tokens from login
- SSO — OIDC (Google, Okta, Azure AD, Auth0, Keycloak), SAML 2.0 (Okta, Azure AD, ADFS, OneLogin), LDAP (Active Directory, OpenLDAP, FreeIPA)
All tokens are stored as SHA-256 hashes. Plaintext tokens are never persisted.
Access Control (RBAC)
Three built-in roles, scoped per realm:
| Role | Capabilities |
|---|---|
| admin | Full access — secrets, realms, policies, audit, tokens |
| member | Read and write secrets, view audit |
| viewer | Read-only access to secrets and audit |
The realm creator is automatically admin. Policy middleware evaluates permissions on every request.
Plugin Signing
All plugin packages are verified with Ed25519 digital signatures before loading. Unsigned or tampered packages are rejected — there is no override. The verification includes both signature validation and SHA-256 checksum verification.
Plugin Sandbox
Plugins run in an isolated sandbox. They cannot access the network, filesystem, or core memory directly. All interactions happen through declared host functions with capability-based access control.
Audit Trail
Every secret access, authentication event, and policy change is logged with:
- Actor identity
- Timestamp (UTC)
- Action performed
- Client IP address
- Realm context
Audit events can be forwarded in real time to external SIEM platforms (Splunk, Microsoft Sentinel, Elastic, CrowdStrike, Datadog, Palo Alto Cortex, Google Chronicle, Syslog, Webhook, File).
Compliance
Arcan's security controls support compliance with:
- SOC 2 — encryption, access control, audit logging
- ISO 27001 — information security management
- HIPAA — protected health information encryption
- PCI-DSS — cardholder data protection
- GDPR — data protection and access controls
Users are responsible for validating compliance for their specific deployment and regulatory requirements.
Security Assessments
For detailed security architecture documentation — including key hierarchy, threat model, and implementation details — contact security@getarcan.dev. We provide comprehensive security documentation to organizations evaluating Arcan for production deployment.
Reporting Vulnerabilities
If you discover a security vulnerability, please report it responsibly to security@getarcan.dev. Do not open a public GitHub issue for security vulnerabilities.