- Algorithm: AES-256-GCM with authenticated encryption
- Key Derivation: HKDF-SHA256 from license key + subject + optional machine binding
- Signature: Ed25519 over metadata + nonce + ciphertext
- AAD: Metadata JSON included as Additional Authenticated Data
[4-byte BE length][metadata JSON][12-byte nonce][ciphertext][64-byte Ed25519 signature]
- Signature Verification: Ed25519 strict verification prevents tampering
- Key Zeroization: Sensitive key material zeroized after use (via
zeroizecrate) - No Plaintext Leaks: Keys, tokens, and plaintext WASM never logged
- Fail-Closed: Any validation failure returns error; no partial decryption
- WASM Integrity: Magic header (
\0asm) validated post-decryption
Public keys for signature verification can be rotated via:
- Embedded public key (compile-time, public keys only - private keys never shipped)
- Config override:
config/pro_engine_pubkey.pem - Environment variable:
COSTPILOT_PRO_PUBKEY_PATH
- License key material has sufficient entropy (128+ bits recommended)
- Machine binding (if used) uniquely identifies the authorized host
- Ed25519 public key authenticity verified via separate channel (release signatures, checksum verification)
- WASM bundle encrypted at rest and in transit; decrypted only in-memory
Protected Against:
- Bundle tampering (signature verification)
- Unauthorized decryption (license-bound keys)
- Key reuse attacks (unique nonces per bundle)
- Partial decryption (AAD + integrity checks)
Not Protected Against:
- Memory dumps of running process (plaintext WASM in memory post-decryption)
- Side-channel attacks on AES-GCM implementation (relies on constant-time crypto libraries)
- Compromised license keys (revocation not implemented)
- Rotate Ed25519 signing keys annually
- Use machine binding for enterprise deployments
- Monitor license usage for anomalies
- Implement license revocation for compromised keys (future enhancement)