Providing Control Over Cache Encryption

BuildBuddy introduces control over cache encryption for its customers by allowing them to provide their own encryption keys. The platform supports keys managed by Google Cloud Platform KMS and Amazon Web Services KMS. Encryption is modeled on Snowflake's Tri-Secret Secure design, offering a composite master key combining customer-supplied and BuildBuddy-maintained keys for enhanced security. This dual-key encryption model, along with built-in user authentication, provides three levels of data protection. Technical details include the use of HKDF-Expand key derivation function and XChaCha20-Poly1305 algorithm for cryptographic operations. The encryption design and source code have been audited by a third party.