> ## Documentation Index
> Fetch the complete documentation index at: https://docs.noxus.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Encryption

> Encryption at rest and in transit for Noxus deployments

Noxus security should enforce encryption in two domains:

* at rest (database, cache, storage, secrets)
* in transit (client traffic and service-to-service traffic)

## At-Rest Encryption

* PostgreSQL storage encryption (managed DB encryption or encrypted volumes)
* Redis encryption where supported by your managed/runtime option
* object storage encryption for cold storage buckets/containers
* encrypted secret backends for credentials and keys

## In-Transit Encryption

* TLS 1.2+ for all public endpoints
* internal service encryption where required by policy
* encrypted links to managed Postgres/Redis when available

```mermaid theme={null}
flowchart LR
  U[Client] -- TLS --> IN[Ingress / Proxy]
  IN -- TLS --> FE[Noxus Frontend]
  IN -- TLS --> BE[Noxus Backend]
  BE -- TLS --> PG[(PostgreSQL)]
  BE -- TLS --> RD[(Redis)]
  BE -- TLS --> CS[(Cold Storage)]
```

## Key Management

* use dedicated secret managers or encrypted K8s secret workflows
* rotate encryption/signing keys on a defined schedule
* keep key access restricted to least privilege identities

<Warning>
  Treat key rotation and backup decryption testing as mandatory operational controls.
</Warning>

<Card title="Best Practices" icon="shield" href="/deployment/security/best-practices">
  Deployment hardening checklist and operational controls
</Card>
