What encryption does LogFlux use?

LogFlux uses AES-256-GCM for log payload encryption and RSA-4096 with OAEP-SHA256 for key exchange. All data in transit is protected by TLS 1.3. Encryption keys are generated and controlled entirely by the customer.

Can LogFlux read my log data?

No. LogFlux uses a zero-knowledge architecture. Logs are encrypted on your infrastructure before transmission, and LogFlux never has access to your encryption keys or plaintext data. Only you can decrypt your logs.

How does zero-knowledge logging work?

Your application encrypts logs locally with AES-256-GCM using keys you control. LogFlux stores and indexes the encrypted data without ever decrypting it. When you query logs, decryption happens client-side in your own tools.

Is LogFlux compliant with GDPR and HIPAA?

Yes. The zero-knowledge architecture means LogFlux never processes plaintext personal data, which simplifies GDPR compliance. Client-side encryption meets HIPAA requirements for protected health information in log data.

LogFlux Security and Encryption

LogFlux implements a zero-knowledge, end-to-end encryption architecture that ensures your log data is protected at every stage of its lifecycle. The service never has access to plaintext data, and all decryption happens client-side.

The service operator has no technical ability to decrypt stored data. Where traditional logging platforms encrypt server-side and control the keys, LogFlux encrypts client-side – keys never leave your infrastructure. Your log data stays private by design, not by policy.

Zero-Knowledge Architecture

LogFlux follows a zero-knowledge encryption model where:

Clients generate and manage RSA key pairs locally
Service stores only RSA public keys and encrypted AES keys
Service never decrypts any data (payloads or AES keys)
Decryption happens only client-side in LogFlux Clients

Security Flow

1. Setup Phase (One-time)

Customer generates RSA-4096 key pair locally
Customer uploads public key to LogFlux Dashboard
Customer keeps private key secure (never transmitted)

2. Session Establishment

LogFlux Agent requests handshake with API key
LogFlux Backend returns customer’s public key + limits
Agent generates random AES-256 key locally
Agent encrypts AES key with customer’s public key (RSA-OAEP-SHA256)
Agent sends encrypted AES key to Backend
Backend stores encrypted AES key (cannot decrypt it) and returns key_id

3. Log Transmission

Applications send logs to LogFlux Agent
Agent encrypts each log with AES-256-GCM + unique nonce
Agent transmits encrypted logs to Backend over TLS 1.3
Backend stores encrypted logs with key_id reference

4. Log Analysis

LogFlux Clients retrieve encrypted logs from Backend
Clients use customer’s private key to decrypt AES keys
Clients decrypt log payloads locally for analysis
Zero-knowledge: Backend never sees plaintext data

Cryptographic Standards

Current Encryption Standard: RSA-OAEP + AES-256-GCM

LogFlux uses a hybrid cryptographic system that exceeds industry standards:

RSA Key Exchange

Component	Specification
Algorithm	RSA-OAEP with SHA-256
Key Size	4096 bits minimum
Padding	OAEP with SHA-256
Purpose	Secure exchange of AES symmetric keys

AES-256-GCM Encryption

Component	Specification
Cipher	AES-256 in Galois/Counter Mode (GCM)
Key Size	256 bits (32 bytes)
Key Generation	Cryptographically secure random
Nonce Size	96 bits (12 bytes)
Auth Tag	128 bits (16 bytes) included with ciphertext
Key Lifetime	Session-based (until client restart or key rotation)

Handshake and Encryption Process

The LogFlux Agent handles RSA key exchange to establish secure AES encryption with the LogFlux Backend:

1. Key Pair Generation and Registration

Customer generates RSA key pair (done once per customer)
Public key is registered through LogFlux Dashboard

2. Handshake Process

LogFlux Agent initiates handshake to exchange AES key
Agent generates random 256-bit AES key
Agent encrypts AES key with RSA-OAEP-SHA256
Agent completes handshake and receives key_id for future log entries

3. Log Encryption Flow

Applications send logs to LogFlux Agent (via SDKs or direct integration)
LogFlux Agent encrypts log messages with established AES key
Agent sends encrypted logs to LogFlux Backend
All encryption/decryption happens on customer infrastructure

What Gets Sent to LogFlux

After completing the handshake, all log entries are sent using multipart/mixed format with the established AES key. Each MIME part carries raw binary ciphertext with metadata in headers:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
POST /v1/ingest HTTP/1.1
Authorization: Bearer eu-lf_your_api_key_here
Content-Type: multipart/mixed; boundary=logflux

--logflux
X-LF-Entry-Type: 1
X-LF-Payload-Type: 1
X-LF-Key-ID: 7f8a9b0c-1d2e-3f4a-5b6c-7d8e9f0a1b2c
X-LF-Nonce: YWJjZGVmZ2hpamts
X-LF-Timestamp: 2025-01-20T14:30:45.123Z

<raw binary AES-GCM ciphertext>
--logflux--

MIME Header Fields (per part):

X-LF-Key-ID: UUID referencing the AES key from handshake completion (required for types 1-6)
X-LF-Nonce: Base64-encoded 12-byte nonce for AES-GCM initialization (required for types 1-6)
X-LF-Entry-Type: 1=log (default), 2=metric, 3=trace, 4=event, 5=audit, 6=telemetry, 7=telemetry_managed
X-LF-Payload-Type: 1=aes256-gcm-gzip-json (default for types 1-6), 2=aes256-gcm-zstd-json, 3=gzip-json (type 7 only), 4=zstd-json (type 7 only)
X-LF-Timestamp: RFC3339 format (optional, defaults to current time)
X-LF-Search-Tokens: Comma-separated HMAC tokens for searchable fields (optional)

Part Body: Raw binary ciphertext (no base64 encoding needed, eliminating 33% overhead)

Supports 1-1000 parts per request, unifying single and batch ingestion into one endpoint.

Note: JSON ingestion (application/json) and the standalone batch endpoint (POST /v1/batch) are deprecated. Use multipart/mixed for all new integrations.

Encryption Process Details

Complete Flow

RSA Key Pair Generation: Customer generates 4096-bit RSA key pair locally
Public Key Registration: Customer uploads public key to LogFlux through Dashboard (one-time setup)
Handshake Initiation: Agent authenticates with API key and requests handshake via /v1/handshake/init
Public Key Retrieval: LogFlux Backend returns customer’s RSA public key + ingestion limits
AES Key Generation: Agent generates random 256-bit AES key locally
AES Key Encryption: Agent encrypts AES key with RSA-OAEP-SHA256 using retrieved public key
Handshake Completion: Agent sends encrypted AES key via /v1/handshake/complete
Session Key Storage: LogFlux Backend stores encrypted AES key AS-IS (never decrypts), returns key_id UUID

Per-Log Encryption (by LogFlux Agent)

Log Reception: Agent receives logs from applications via SDKs or direct integration
Unique Nonce Generation: Agent generates cryptographically random 12-byte nonce per entry
Log Compression: Optional compression of log data before encryption
AES-256-GCM Encryption: Agent encrypts compressed log data with session AES key
Binary Structure: Agent combines nonce + encrypted data + authentication tag
Multipart Transmission: Agent sends raw binary ciphertext via multipart/mixed with metadata in MIME headers (no base64 encoding needed, eliminating 33% overhead)

Key Benefits

No Key Derivation Overhead: AES keys are pre-generated and cached
Hardware Acceleration: AES-GCM is optimized on modern processors
Zero-Knowledge: Service stores encrypted AES keys but cannot decrypt them
High Performance: Minimal crypto operations per log entry after handshake

Transport Security

HTTPS/TLS Requirements

All communication with LogFlux uses modern TLS:

Minimum TLS Version: 1.2 (TLS 1.3 preferred)
Certificate Validation: Required (no self-signed certificates)
Cipher Suites: Only strong, forward-secret ciphers

API Authentication

LogFlux uses two credential types for different services:

Credential	Format	Service	Purpose
API Key	`{region}-lf_<key>`	Ingestor (`*.ingest.{region}.logflux.io`)	Log ingestion + encryption handshake
PAT	`{region}-lf_usr_<token>`	Backend (`*.inspect.{region}.logflux.io`)	Log queries + management

Ingestion (Agent/SDKs use API Keys):

1
2
3
POST https://api.ingest.eu.logflux.io/v1/ingest
Authorization: Bearer eu-lf_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
Content-Type: multipart/mixed; boundary=logflux

Queries (CLI/Grafana use PATs):

1
2
GET https://api.inspect.eu.logflux.io/v1/logs
Authorization: Bearer eu-lf_usr_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6

See Authentication Setup for complete details on credential types.

Data Protection

What We Protect

Data Type	Protection Level
Log Payloads	Encrypted client-side - All log content, metadata, levels, node names, etc.
Timestamps	Not encrypted - Used for time-based queries and indexing
Entry Types	Not encrypted - Used for categorization and routing (1-7). Types 1-6 use E2E encryption (AES-256-GCM), type 7 uses server-side encryption (S3 SSE-KMS)
Nonce	Not encrypted - Required for decryption, unique per entry
Key ID	Not encrypted - References which encryption key was used

Everything else is encrypted: All actual log data, including log messages, log levels, node names, metadata, and any application-specific information is encrypted within the payload and cannot be read by LogFlux.

Self-Contained Encryption

Each log entry contains everything needed for decryption:

Nonce: For AES-GCM initialization (unique per entry)
Encrypted Payload: Your actual log data + authentication tag
Key ID: References the AES key used for encryption

This means:

You can decrypt your own data anytime with your RSA private key
Each log entry is independently encrypted with unique nonces
No nonce reuse between log entries
LogFlux cannot decrypt your data (we never have your private key)

Rate Limiting & DDoS Protection

Dynamic Rate Limits

Rate limits are configured per customer and communicated through response headers and discovery endpoints:

Default: 600 requests/minute per customer
Burst: 100 requests
Configurable: Limits can be adjusted based on your subscription plan
Batch Support: Maximum 1000 entries per batch request

Rate Limit Headers

1
2
3
4
X-RateLimit-Limit: 600
X-RateLimit-Remaining: 599
X-RateLimit-Reset: 1705493445
Retry-After: 30

Request Size Limits

Max payload size: 1 MiB per log entry (after base64 decoding)
Max request size: ~1 MiB total HTTP request size
Max batch size: 1000 entries per batch request

Security Best Practices

1. RSA Private Key Security

1
2
3
4
5
6
7
# Store RSA private keys securely
# Good: Use OS keychain/keystore
security add-generic-password -s "logflux" -a "rsa-private-key" -w "$(cat private_key.pem)"

# Better: Use hardware security modules (HSM)
# Or dedicated key management services
aws kms create-key --description "LogFlux RSA Key"

2. Key Registration and Management

1
2
3
// Register public key through LogFlux Dashboard (one-time setup)
// Store private key securely on client systems
const privateKey = loadFromSecureStorage('logflux-rsa-private-key');

3. Never Log Sensitive Data

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
// Good: Log sanitized data
logflux.info(JSON.stringify({
  event: 'user_login',
  user_id: user.id,
  ip: request.ip
}));

// Bad: Never log secrets or PII
logflux.info(JSON.stringify({
  password: user.password,      // NEVER!
  credit_card: user.card_number, // NEVER!
  ssn: user.social_security     // NEVER!
}));

4. Use Different Key Pairs Per Environment

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
// Production - uses production RSA key pair
const prodClient = new LogFluxClient({
  apiKey: process.env.LOGFLUX_API_KEY_PROD,
  privateKeyPath: '/secure/prod-private-key.pem'
});

// Staging - uses staging RSA key pair
const stagingClient = new LogFluxClient({
  apiKey: process.env.LOGFLUX_API_KEY_STAGING,
  privateKeyPath: '/secure/staging-private-key.pem'
});

5. Implement Key Rotation

Regular key rotation improves security:

Generate new RSA key pair
Register new public key in LogFlux Dashboard
Update client applications with new private key
New sessions use new key pair automatically
Old logs remain readable with previous private key
Deactivate old keys after migration period

Compliance & Standards

Cryptographic Standards Support

LogFlux uses industry-standard cryptographic implementations to support your compliance requirements:

NIST Approved: AES-256-GCM is NIST approved
FIPS 140-2: Uses Go’s crypto package implementations which are FIPS-validated
OWASP 2023+: Meets latest cryptographic recommendations
Common Criteria: Algorithm implementations are certified

Regulatory Compliance Support

LogFlux’s zero-knowledge architecture helps you meet various compliance requirements:

Standard	How LogFlux Supports Your Compliance
GDPR	Client-side encryption ensures data minimization and privacy by design
HIPAA	Encryption standards exceed Safe Harbor requirements for PHI protection
PCI DSS	Prevents cardholder data exposure in logs through encryption
SOC 2	Provides encryption controls for security frameworks
ISO 27001	Supports cryptographic key management requirements

Note: LogFlux is not independently audited for these compliance standards. The platform provides technical capabilities to support your compliance efforts, but you remain responsible for your overall compliance posture.

Advanced Security Features

Future Encryption Modes

The encryption_mode field allows future algorithm upgrades:

Mode	Algorithm	Status
1	RSA-OAEP + AES256-GCM	Current Standard
2	ECDH-P256 + AES256-GCM	Future Option
3	X25519 + ChaCha20-Poly1305	Future Option
4	Post-Quantum + AES256-GCM	Future Option

Cross-SDK Compatibility

All LogFlux SDKs use identical encryption:

Data encrypted by Python SDK can be read by Go SDK
JavaScript encrypted logs work with Java SDK
Complete interoperability across all platforms

Performance Optimization

Our RSA + AES hybrid system provides excellent performance:

Session Key Caching: AES keys are cached after handshake (no per-log key derivation)
Hardware Acceleration: AES-GCM is optimized on modern processors
Async Processing: Encryption doesn’t block your application
Batch Support: Efficiently encrypt multiple logs with the same session key

Security Monitoring

What We Monitor

API key usage patterns
Rate limit violations
Invalid payload attempts
Unusual traffic patterns
Failed authentication attempts

Security Alerts

Configure alerts for:

Approaching rate limits
Repeated authentication failures
Unusual API usage patterns
Large payload attempts

Emergency Procedures

Suspected API Key Compromise

Immediately: Generate new API key in dashboard
Update: Deploy new key to all applications
Revoke: Disable compromised key
Review: Check logs for unauthorized access

Encryption Secret Compromise

Generate: Create new encryption secret
Update: Configure applications with new secret
Note: Old logs remain encrypted with old secret
Future: New logs use new encryption

Support

For security-related questions or to report vulnerabilities:

Email: security@logflux.io
Documentation: docs.logflux.io

Remember: LogFlux provides strong encryption for your logs, but security is a shared responsibility. Always use strong secrets, never log sensitive data, and keep your SDKs updated.