Security

Encryption

FIPS 140-3 compliant encryption for all CJI in transit and at rest.

In Transit — SC-8, SC-13

All CJI transmitted by EasyWarrant uses FIPS 140-3 validated cryptography:

• Standard: FIPS 140-3 certified cryptographic module
• Algorithm: AES (FIPS 197) — minimum 128-bit symmetric key
• Signaling: TLS 1.3 (TLS 1.2 minimum per CJIS policy)
• Media streams: DTLS-SRTP — AES for media, DTLS for key exchange
• Guarantee: No plaintext CJI on any external network at any point

At Rest — SC-28

• Algorithm: AES-256 (FIPS 197) with FIPS 140-3 validated module
• Storage: Azure Blob Storage Government with SSE + CMK
• Database: Azure PostgreSQL transparent data encryption with CMK
• Jurisdiction: US / US territories only — no foreign datacenters
• Metadata: CJI metadata is protected identically to CJI content

Key Management — SC-12

Each agency's data is encrypted under a customer-managed key (CMK)stored in Azure Key Vault (HSM-backed, FIPS 140-3). The agency controls:

• Key generation — performed in the HSM; key material never leaves the HSM in plaintext
• Key rotation — agency-initiated; previous key version retained for decryption of existing data
• Key revocation — agency may revoke access at any time; renders all encrypted data inaccessible
• Key destruction — agency-controlled; performed in the HSM per NIST SP 800-57

Video Encryption

Live video sessions use WebRTC with DTLS-SRTP enforced:

• DTLS handshake establishes session keys at session start
• SRTP protects media using AES-128-CTR (minimum)
• Session keys are ephemeral — generated per session, destroyed on termination
• Certificate fingerprints verified at handshake to prevent MitM attacks (SC-23)