Encryption in Transit
All communication between Turen components uses TLS 1.2 or higher:| Connection | Protocol |
|---|---|
| Agent to Turen Cloud | HTTPS (TLS 1.2+) |
| Dashboard to Turen API | HTTPS (TLS 1.2+) |
| Claude Code to local proxy | HTTP (localhost only, never leaves the machine) |
127.0.0.1 only. LLM traffic between the proxy and Anthropic uses HTTPS.
Encryption at Rest
Session Data
Session recordings are the most sensitive data Turen handles. They are protected with envelope encryption:- Organization key (DEK) — Each organization has a unique AES-256-GCM Data Encryption Key
- AWS KMS (KEK) — The organization key is itself encrypted by AWS Key Management Service
- Per-session encryption — Each session is encrypted individually with the organization’s DEK
- Retrieve the encrypted DEK from the database
- Decrypt it via AWS KMS
- Use the DEK to decrypt the session data
Agent Credentials
Agent secrets (as_live_) are stored on the developer’s machine in a state file encrypted with a machine-bound key. The encryption key is derived from hardware identifiers, so the state file cannot be decrypted on a different machine.
Database
The PostgreSQL database uses encryption at rest provided by the hosting provider (Supabase). All sensitive fields (secrets, keys) are stored as hashed or encrypted values.Key Management
| Key | Scope | Rotation |
|---|---|---|
| Organization DEK | Per-organization | Managed by Turen |
| AWS KMS KEK | Platform-wide | Automatic (AWS managed) |
| Agent secrets | Per-machine | On-demand via API |
| API keys | Per-key | Manual (create new, revoke old) |