Last reviewed against v0.9.0
source:
internal/kmsadmin/kmsadmin.go::ScheduleDeletion, app.go::SpaceProvisionKMS Cryptographic erasure
Enterprise-tier per-Space CMK. Schedule deletion via kms:ScheduleKeyDeletion with a 7–30-day pending window. After the window, every ciphertext encrypted under that CMK is permanently unrecoverable.
On Enterprise, each Space has its own customer-managed KMS CMK (spaces.kms_key_arn).
Provisioning
App.SpaceProvisionKMS calls kms:CreateKey and kms:CreateAlias to mint a new CMK and tag it to the Space.
Erasure
Offboarding calls App.SpaceScheduleKMSDeletion → kmsadmin.ScheduleDeletion → kms:ScheduleKeyDeletion with a 30-day pending window (configurable 7–30 days).
After the pending window elapses:
- Every ciphertext encrypted under that CMK is permanently unrecoverable
- The data still exists in DDB
- No key exists to decrypt it
- Not by you, not by ShellYard, not by AWS
This is the audit primitive every MSP compliance review eventually asks for.