Skip to content

Policy Management

Aegis provides comprehensive policy management for quantum-safe cryptographic configurations across your infrastructure.

Policy Structure

Policies define cryptographic requirements for three components:

  • Aegis: TLS gateway and connection handling
  • Somnus: Data encryption and key management
  • Logos: Application-level cryptography

Policy Format

{
  "compliance_standard": "SOC2 Type II",
  "aegis": {
    "pq_ready": ["TLS_KYBER768_P256_SHA256"],
    "preferred": ["TLS_AES_256_GCM_SHA384"],
    "fallback_acceptable": ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"],
    "prohibited": ["TLS 1.0", "TLS 1.1", "SSL V2", "SSL V3"]
  },
  "somnus": {
    "pq_ready": ["Kyber-768 + AES-KWP"],
    "preferred": ["XChaCha20-Poly1305", "AES-GCM-SIV-256"],
    "fallback_acceptable": ["AES-256-CBC + HMAC-SHA256/512"],
    "prohibited": ["AES-ECB", "DES", "3DES", "RC4"]
  },
  "logos": {
    "pq_ready": ["Kyber-768 + AES-KWP (DEK/Field Key Wrap)"],
    "preferred": ["XChaCha20-Poly1305", "AES-GCM-SIV-256"],
    "fallback_acceptable": ["AES-256-CBC + HMAC-SHA256/512"],
    "prohibited": ["RSA-PKCS#1 v1.5", "AES-ECB", "HMAC-MD5"]
  }
}

Built-in Policy Templates

SOC2 Type II

Enterprise security controls with post-quantum readiness.

PCI DSS 4.0

Payment card industry data security standard.

HIPAA/HITRUST

Healthcare data protection requirements.

GDPR

European privacy regulation compliance.

Creating Custom Policies

Using the CLI

export AEGIS_CONTROL_PLANE_URL="https://axis.velikey.com"
export AEGIS_SESSION_TOKEN="<nextauth_session_token>"

# Read current policies
aegis policy list

# Show one policy
aegis policy show <policy_id>

Note

Hosted policy creation/apply is currently performed in the Axis dashboard. The CLI policy create and policy template commands are not yet available against hosted Axis write routes.

Using the Web Console

  1. Navigate to Policy Management
  2. Click "Create Policy"
  3. Choose template or create custom
  4. Configure algorithm preferences
  5. Save and deploy

Policy Enforcement

Policies are enforced at multiple levels:

  • TLS Handshake: Cipher suite selection
  • Key Exchange: Algorithm preference
  • Data Encryption: Symmetric cipher choice
  • Digital Signatures: Signature algorithm selection

Post-Quantum Migration

Aegis supports gradual migration to post-quantum cryptography:

  1. Phase 1: Add PQ algorithms to "pq_ready"
  2. Phase 2: Move to "preferred" as support improves
  3. Phase 3: Add classical algorithms to "prohibited"

Hybrid Mode

Combine classical and post-quantum algorithms:

{
  "aegis": {
    "pq_ready": ["TLS_KYBER768_X25519_SHA256"],
    "hybrid_mode": true
  }
}

Best Practices

  • Test policies in staging before production
  • Monitor compliance through dashboards
  • Version policies for rollback capability
  • Document changes for audit trails