By: Prashant Mehta, 10/16/2025
Introduction
Encryption is by far one of the most incredibly sensitive parts of our stack. Encryption empowers our technology to be safe, secure, and reliable. At the center of our encryption stack is a software called Vault. Vault was created by HashiCorp to allow large infrastructure stacks to remain secure by encrypting keys and only unsealing them to provide temporary keys to our other pods and services, allowing them to access and authenticate with the external services and clients we serve. Of course, internal authentication still exists, which is why we require our system to be deployed on Kubernetes .
Anatomy of Anton
A single physical node will have an isolated VM, only connected to API servers via virtual NICs that have no internet connectivity. This ensures that each physical node has its own service for authenticating and that it is hardware based authentication. GCP decryption of databases is still dependent on the kube-apiserver allowing GCP to access an active physical cluster that we own. Without that, GCP cannot decrypt any Postgres data, ensuring that production data always stays in our control for the safety of us, our partners, and our customers. Anton’s TPM chip will passthrough to the hardened, isolated VM and the clusters will be able to request the TPM to seal and unseal our encrypted keys backend, Raft. Raft will store all of the sensitive data in vault, and vault will be our interface for accessing and managing these distributed keys. Again, without the TPM’s approval, this entire stack fails, rendering attackers unable to expose sensitive keys. Keys will also be rotated through software services, ensuring that no key is ever exposed directly to any human directly ever. This ensures our stack is able to communicate continuously with each other without any manual intervention or worry for security faults or social engineering tricks.
Helm Installations
Within our namespace for vault/, we must install vault & raft via helm and operate them in separate DNS addresses in Calico, this can be done like so, according to HashiCorp:
helm repo add hashicorp https://helm.releases.hashicorp.com
helm search repo hashicorp/vault
#Verify output
helm install vault hashicorp/vault --namespace vault --version #[0.xx.x]
#Potentially use an override-values.yaml, reference docs for this
Obviously this is a pretty bare installation, and requires a lot more nuance, in configuring the DNS and appropriate connectivity. This document will be updated as we approach that point.