Security
Built so your keys stay yours.
Lumkey is not a zero-knowledge system — it is a controlled-service trust model. Strong storage protection, restricted runtime access, and no casual employee visibility into customer credentials.
How credentials are protected
Ciphertext at rest
Provider credentials are never stored as plaintext. In the SaaS deployment, they are protected using Google Cloud KMS before being persisted. Database access alone is not sufficient to recover them.
Keys shown once
Lumkey wrapped keys are displayed once at creation and stored only as HMAC-SHA256 hashes. If a key is lost, it must be rotated. There is no "retrieve" path.
Management API redaction
The Lumkey dashboard and management API are intentionally designed to never return raw provider keys after creation. No support workflow reveals the underlying credential.
Runtime-only decryption
Provider credentials are only decrypted in process memory when Lumkey makes an authorized upstream provider call. The decrypt path is scoped to the proxy runtime, not dashboard access.
Trust model
Controlled-service, not zero-knowledge.
Lumkey does decrypt customer provider credentials in memory when making approved upstream requests. This is necessary — Lumkey is a working SaaS proxy, not a client-side secret manager.
The trust story is built on strong storage protection, restricted runtime access, least-privilege operational permissions, and the absence of any casual employee path to your provider keys.
Even with database access, Lumkey staff cannot casually browse customer provider keys. The product UI does not reveal them. The management API does not return them. Production access is controlled through narrowly scoped runtime permissions.
Provider credentials stored as ciphertext, not plaintext.
Google Cloud KMS-backed protection in the SaaS deployment.
Lumkey separates wrapped keys, provider credentials, and HDP signing material into distinct trust boundaries.
HMAC-SHA256 wrapped-key hashing — not retrievable plaintext.
Decrypt operations occur only in the proxy runtime.
Secret values sourced through managed secret infrastructure, not the product UI.
Frequently asked questions
Questions about security?
Talk to our team directly. We'll walk you through our architecture.