Layer 5 (L5) - Data Protection Services
Objective
Protect data at rest and in use with services that implement envelope encryption and related patterns using approved algorithms and keys from L7.
Responsibilities
- Provide encryption, decryption, and integrity services for data stores and filesystems
- Offer tokenization, hashing, and anonymization where required by policy
- Integrate with L7 for key generation, rotation, and access control
Common components
- Database or volume encryption features
- Object storage side encryption and client side encryption toolchains
- File level and application level encryption libraries
Implementation guidance
- Use envelope encryption with data encryption keys wrapped by key encryption keys from L7
- Select AEAD modes for confidentiality and integrity where supported
- Design for automated rekey and data rewrite for rotation events
Validation and evidence
- Configurations that show algorithm selection and key sources
- Rotation playbooks and audit logs for key use
- Demonstrations that non approved algorithms are not available
Common pitfalls
- Relying on default encryption that uses unapproved algorithms
- Mixing application keys and platform keys without a lifecycle plan
- Incomplete rotation and rewrap procedures
Relationship to other AFIPS Layers
| From | To | Why this edge exists | Typical operations | Evidence |
|---|---|---|---|---|
| L7 | L5 | Supply KEKs and rotation signals | DEK wrap or rewrap. | Rotation playbooks, wrap counts |
| L5 | L2 | Data services centralize crypto choices | Envelope encryption, HMAC, SHA 2 or SHA 3. | Config pins to provider, algorithm allow list |