Security & Encryption

LogFlux implements enterprise-grade security with mandatory end-to-end encryption, ensuring your log data is protected at every stage of its lifecycle.

Security Architecture

Mandatory Encryption

All log payloads must be encrypted before transmission to LogFlux. This is not optional - unencrypted payloads are rejected by the API.

Application → SDK/Client → [Encrypted Payload] → [TLS Transport] → LogFlux API
                 ↓                                      ↓
          AES-256-GCM + PBKDF2                    TLS 1.2+
          (600,000 iterations)                    Certificate Validation

Cryptographic Standards

Current Encryption Standard: AES256-GCM_PBKDF2-SHA256-600K

LogFlux uses state-of-the-art encryption that exceeds OWASP 2023+ recommendations:

Encryption Implementation

Our SDKs handle encryption automatically:

1
2
3
4
5
6
7
8

// JavaScript SDK Example
const logflux = require('@logflux/logflux-js-sdk');

// Initialize with your encryption secret
logflux.init('https://c12345.ingest.us.logflux.io', 'my-app', 'lf_your_api_key', 'your-encryption-secret');

// Log a message - encryption happens automatically
await logflux.info('User login successful'); // This is encrypted before transmission

What Gets Sent to LogFlux

1
2
3
4
5
6
7
8
9

{
  "node": "app-server-01",
  "payload": "YWJjZGVmZ2hpams...base64-encrypted-data...",
  "loglevel": 7,
  "timestamp": "2024-01-17T10:30:45Z",
  "encryption_mode": 1,
  "iv": "dGVzdGl2MTIzNDU2",
  "salt": "c2FsdDMyYnl0ZXNsb25nZm9ya2V5ZGVyaXZhdGlvbg=="
}

Encryption Process Details

1. Unique Salt Generation: Each log entry gets a cryptographically random 32-byte salt
2. Key Derivation: Your secret + salt → 600,000 rounds of PBKDF2-SHA256 → 256-bit key
3. Unique IV Generation: Each log entry gets a cryptographically random 12-byte IV
4. Authenticated Encryption: AES-256-GCM encrypts and authenticates your log data
5. Base64 Encoding: Binary data is encoded for JSON transport

Why 600,000 Iterations?

• OWASP 2023+ Recommendation: Latest security standards for PBKDF2
• Brute Force Protection: Makes password cracking computationally expensive
• Future Proof: Exceeds current minimum requirements
• Performance Optimized: SDKs cache derived keys for efficiency

Transport Security

HTTPS/TLS Requirements

All communication with LogFlux uses modern TLS:

• Minimum TLS Version: 1.2 (TLS 1.3 preferred)
• Certificate Validation: Required (no self-signed certificates)
• Cipher Suites: Only strong, forward-secret ciphers
• HSTS: Enforced with 1-year max-age

API Authentication

1
2
3

POST https://c12345.ingest.us.logflux.io/v1/ingest
Authorization: Bearer lf_your_api_key_here
Content-Type: application/json

API Key Format: lf_ prefix + 32 alphanumeric characters

Data Protection

What We Protect

Self-Contained Encryption

Each log entry contains everything needed for decryption:

• Salt: For key derivation (unique per entry)
• IV: For AES-GCM initialization (unique per entry)
• Encrypted Payload: Your actual log data + authentication tag

This means:

• ✅ You can decrypt your own data anytime with your secret
• ✅ Each log entry is independently encrypted
• ✅ No key reuse between log entries
• ❌ LogFlux cannot decrypt your data (we never have your secret)

Rate Limiting & DDoS Protection

Current Limits

Rate Limit Headers

1
2
3

X-RateLimit-Limit: 600
X-RateLimit-Remaining: 599
X-RateLimit-Reset: 1705493445

Security Best Practices

1. Secure Your Encryption Secret

1
2
3
4
5

# Good: Use environment variables
export LOGFLUX_SECRET="your-strong-secret-here"

# Better: Use a secrets management service
aws secretsmanager get-secret-value --secret-id logflux-secret

2. Never Log Sensitive Data

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

// ✅ Good: Log sanitized data
logflux.info(JSON.stringify({
  event: 'user_login',
  user_id: user.id,
  ip: request.ip
}));

// ❌ Bad: Never log secrets or PII
logflux.info(JSON.stringify({
  password: user.password,      // NEVER!
  credit_card: user.card_number, // NEVER!
  ssn: user.social_security     // NEVER!
}));

3. Use Different Secrets Per Environment

1
2
3
4
5
6
7
8
9

// Production
const prodClient = new LogFluxClient({
  secret: process.env.LOGFLUX_SECRET_PROD
});

// Staging  
const stagingClient = new LogFluxClient({
  secret: process.env.LOGFLUX_SECRET_STAGING
});

4. Implement Key Rotation

Regular secret rotation improves security:

1. Generate new secret
2. Update application configuration
3. New logs use new secret automatically
4. Old logs remain readable with old secret

Compliance & Standards

Cryptographic Compliance

• NIST Approved: AES-256-GCM is NIST approved
• FIPS 140-2: Uses FIPS-validated cryptographic modules
• OWASP 2023+: Exceeds latest PBKDF2 recommendations
• Common Criteria: Algorithm implementations are certified

Regulatory Compliance

Advanced Security Features

Future Encryption Modes

The encryption_mode field allows future algorithm upgrades:

Cross-SDK Compatibility

All LogFlux SDKs use identical encryption:

• Data encrypted by Python SDK can be read by Go SDK
• JavaScript encrypted logs work with Java SDK
• Complete interoperability across all platforms

Performance Optimization

Despite 600,000 PBKDF2 iterations, our SDKs remain fast:

• Key Caching: Derived keys are cached (not recomputed per log)
• Async Processing: Encryption doesn’t block your application
• Batch Support: Efficiently encrypt multiple logs

Security Monitoring

What We Monitor

• API key usage patterns
• Rate limit violations
• Invalid payload attempts
• Unusual traffic patterns
• Failed authentication attempts

Security Alerts

Configure alerts for:

• Approaching rate limits
• Repeated authentication failures
• Unusual API usage patterns
• Large payload attempts

Emergency Procedures

Suspected API Key Compromise

1. Immediately: Generate new API key in dashboard
2. Update: Deploy new key to all applications
3. Revoke: Disable compromised key
4. Review: Check logs for unauthorized access

Encryption Secret Compromise

1. Generate: Create new encryption secret
2. Update: Configure applications with new secret
3. Note: Old logs remain encrypted with old secret
4. Future: New logs use new encryption

Technical Reference

SDK Encryption Example (Python)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

import base64
import os
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes

def encrypt_log(message, secret):
    # Generate random salt and IV
    salt = os.urandom(32)
    iv = os.urandom(12)
    
    # Derive key using PBKDF2
    kdf = PBKDF2HMAC(
        algorithm=hashes.SHA256(),
        length=32,
        salt=salt,
        iterations=600000
    )
    key = kdf.derive(secret.encode())
    
    # Encrypt using AES-256-GCM
    cipher = Cipher(algorithms.AES(key), modes.GCM(iv))
    encryptor = cipher.encryptor()
    ciphertext = encryptor.update(message.encode()) + encryptor.finalize()
    
    # Return base64-encoded values
    return {
        'payload': base64.b64encode(ciphertext + encryptor.tag).decode(),
        'iv': base64.b64encode(iv).decode(),
        'salt': base64.b64encode(salt).decode()
    }

Security Headers

All LogFlux API responses include:

1
2
3
4
5

Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'none'

Support

For security-related questions or to report vulnerabilities:

• Email: security@logflux.io
• Documentation: docs.logflux.io
• Status: status.logflux.io

Remember: LogFlux provides strong encryption for your logs, but security is a shared responsibility. Always use strong secrets, never log sensitive data, and keep your SDKs updated.