CBDDC/docs/features/secure-peer-transport.md

# Feature: Secure Peer Transport

## Purpose and Business Outcome

Protect replicated data in transit with authenticated and encrypted peer communication.

## Scope and Non-Goals

Scope:

- Secure handshake and key establishment.
- Message confidentiality and integrity controls.

Non-goals:

- Data-at-rest encryption.
- Full identity and certificate lifecycle management.

## User and System Workflows

1. Operator enables secure transport components.
2. Peers perform handshake and establish session keys.
3. Replication traffic is encrypted/authenticated.
4. Health and logs expose secure mode status.

## Interfaces, APIs, and Events Involved

- `IPeerHandshakeService` / secure handshake implementation
- Network pipeline message encryption and HMAC validation
- Startup configuration for secure mode

## Permissions and Data Handling

- Secret material (`AuthToken`, key inputs) must be restricted to authorized operators.
- Logs must avoid plaintext secret disclosure.

## Dependencies and Failure Modes

Dependencies:

- Consistent security mode across peers
- Valid runtime cryptographic dependencies

Failure modes:

- Secure/plaintext mode mismatch
- Handshake failure due to key/token mismatch

## Monitoring, Alerts, and Troubleshooting Pointers

- Alert on repeated handshake failures.
- Use [Runbook](../runbook.md) for incident triage and [Troubleshooting](../troubleshooting.md) for remediation.

## Rollout and Change Considerations

- Enable secure mode in staging first.
- Roll production nodes in controlled order to avoid mixed-mode partitions.

## Validation and Testability Guidance

- Add tests for secure-to-secure success and mixed-mode rejection.
- Validate encrypted cluster startup and sync with production-like load.

## Related Security Controls

- [Security](../security.md)
- [Access and Permissions](../access.md)