dsec: Decisions & Security

Security Model

Layer	Protection
At Rest	GPG encryption (gopass), FUSE encryption (gocryptfs)
In Memory	Environment variables, cleared on shell exit
In Transit	HTTPS for Vault, SSH for git sync
Access	GPG key required, Vault token/AppRole
Audit	Git history for gopass, Vault audit log

Layer

Protection

At Rest

GPG encryption (gopass), FUSE encryption (gocryptfs)

In Memory

Environment variables, cleared on shell exit

In Transit

HTTPS for Vault, SSH for git sync

Access

GPG key required, Vault token/AppRole

Audit

Git history for gopass, Vault audit log