Encrypted at rest,
keys you control.
Every byte Astry stores is encrypted with AES-256-GCM under a versioned envelope. Traffic moves over TLS (HTTPS). The keys come from your own cloud KMS, or under BYOC, a key only you hold. Astry never keeps a master key to your data.
What protects the data, at every step.
No bespoke ciphers, no clever shortcuts. Standard, audited primitives, applied where they matter.
- At rest
- AES-256-GCM, an authenticated cipher whose tag detects tampering.
- In transit
- TLS over HTTPS.
- Envelope
- Versioned envelope format, tagged with a key id.
- Key rotation
- Rotate through a keyring, with no bulk re-encryption of stored data.
- Key management
- Your cloud KMS when Astry is managed, or a key only you hold under BYOC.
How the encryption holds.
Each control is independent, and none of them depends on Astry holding your keys.
AES-256-GCM at rest
TLS in transit
Versioned envelope
Rotation without re-encryption
Your KMS, your keys
BYOC, a key only you hold
The vendor never sees your data.
Encryption only matters if the keys, and the data, stay with you. Under BYOC, they do.
Run Astry in your own cloud and it sits entirely on infrastructure you own: your vault, your database, your keys. Astry holds no credentials to that environment, so there is no path for a vendor to reach in and decrypt your data.
The Astry control plane sees only operational metadata: the instance id, the version, uptime, user count, vault size and connector states. It never sees your content, your conversations, your audit records or who your people are.
Good to know.
You do. Keys live in your own cloud KMS, or under BYOC, a key only you hold. Astry never keeps a master key to your data, and in BYOC it holds no credentials to your cloud at all.
Your data never leaves your cloud.
See how BYOC keeps the keys, the vault and the audit trail inside your own environment, with no credentials handed to a vendor.