bin-there-done-that/documents/genesishosting/security/security-encryption-standards.md

# Encryption Standards

Encryption is applied to all data in transit and at rest across Genesis Hosting Technologies infrastructure.

## In Transit

- HTTPS via TLS 1.3 (minimum TLS 1.2 for legacy fallback)
- SFTP for all file transfers
- SSH for all administrative access
- rclone with TLS for object storage replication

## At Rest

- ZFS encryption on backup pools
- PostgreSQL encryption at the database or filesystem level
- WHMCS and DirectAdmin credentials hashed and salted
- Backups encrypted with AES-256 before remote transfer

## Key Management

- SSH keys rotated every 6 months
- Let's Encrypt certs auto-renew every 90 days
- Master encryption keys stored offline and version-controlled
Auto-commit from giteapush.sh at 2025-05-09 16:35:15 2025-05-09 16:35:15 -04:00			`# Encryption Standards`

			`Encryption is applied to all data in transit and at rest across Genesis Hosting Technologies infrastructure.`

			`## In Transit`

			`- HTTPS via TLS 1.3 (minimum TLS 1.2 for legacy fallback)`
			`- SFTP for all file transfers`
			`- SSH for all administrative access`
			`- rclone with TLS for object storage replication`

			`## At Rest`

			`- ZFS encryption on backup pools`
			`- PostgreSQL encryption at the database or filesystem level`
			`- WHMCS and DirectAdmin credentials hashed and salted`
			`- Backups encrypted with AES-256 before remote transfer`

			`## Key Management`

			`- SSH keys rotated every 6 months`
			`- Let's Encrypt certs auto-renew every 90 days`
			`- Master encryption keys stored offline and version-controlled`