Policy Management
Aegis provides comprehensive policy management for quantum-safe cryptographic configurations across your infrastructure.
Policy Structure
Policies define cryptographic requirements for three components:
- Aegis: TLS gateway and connection handling
- Somnus: Data encryption and key management
- Logos: Application-level cryptography
Policy Format
{
"compliance_standard": "SOC2 Type II",
"aegis": {
"pq_ready": ["TLS_KYBER768_P256_SHA256"],
"preferred": ["TLS_AES_256_GCM_SHA384"],
"fallback_acceptable": ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"],
"prohibited": ["TLS 1.0", "TLS 1.1", "SSL V2", "SSL V3"]
},
"somnus": {
"pq_ready": ["Kyber-768 + AES-KWP"],
"preferred": ["XChaCha20-Poly1305", "AES-GCM-SIV-256"],
"fallback_acceptable": ["AES-256-CBC + HMAC-SHA256/512"],
"prohibited": ["AES-ECB", "DES", "3DES", "RC4"]
},
"logos": {
"pq_ready": ["Kyber-768 + AES-KWP (DEK/Field Key Wrap)"],
"preferred": ["XChaCha20-Poly1305", "AES-GCM-SIV-256"],
"fallback_acceptable": ["AES-256-CBC + HMAC-SHA256/512"],
"prohibited": ["RSA-PKCS#1 v1.5", "AES-ECB", "HMAC-MD5"]
}
}
Built-in Policy Templates
SOC2 Type II
Enterprise security controls with post-quantum readiness.
PCI DSS 4.0
Payment card industry data security standard.
HIPAA/HITRUST
Healthcare data protection requirements.
GDPR
European privacy regulation compliance.
Creating Custom Policies
Using the CLI
export AEGIS_CONTROL_PLANE_URL="https://axis.velikey.com"
export AEGIS_SESSION_TOKEN="<nextauth_session_token>"
# Read current policies
aegis policy list
# Show one policy
aegis policy show <policy_id>
Note
Hosted policy creation/apply is currently performed in the Axis dashboard.
The CLI policy create and policy template commands are not yet available against hosted Axis write routes.
Using the Web Console
- Navigate to Policy Management
- Click "Create Policy"
- Choose template or create custom
- Configure algorithm preferences
- Save and deploy
Policy Enforcement
Policies are enforced at multiple levels:
- TLS Handshake: Cipher suite selection
- Key Exchange: Algorithm preference
- Data Encryption: Symmetric cipher choice
- Digital Signatures: Signature algorithm selection
Post-Quantum Migration
Aegis supports gradual migration to post-quantum cryptography:
- Phase 1: Add PQ algorithms to "pq_ready"
- Phase 2: Move to "preferred" as support improves
- Phase 3: Add classical algorithms to "prohibited"
Hybrid Mode
Combine classical and post-quantum algorithms:
Best Practices
- Test policies in staging before production
- Monitor compliance through dashboards
- Version policies for rollback capability
- Document changes for audit trails