In Part 1, we implemented Application-Level Envelope Encryption. Our documents are now protected by per-record AES keys, wrapped in user-specific RSA envelopes. But a secure application is more than just secure data — it must have a secure infrastructure.
Under SOC 2, two critical principles often challenge developers:
Log Integrity (Audit Trail): You must prove that security logs are immutable and cannot be tampered with, even if the primary database is compromised.
Key Lifecycle Management: You must prove that your encryption keys are rotated and that the compromise of a single key does not result in the compromise of the entire system.
In this deep dive, we will implement Audit Trail Isolation using the Outbox Pattern and a Distributed Key Management Service (KMS) with Master Key Sharding.
