DEK

DEK stands for Data Encryption Key. In Robnu's architecture, every seller has their own DEK — a 256-bit AES key that's used to encrypt that seller's tokens and credentials.

The DEK itself is encrypted (sealed) with a master key held in AWS KMS. When Robnu needs to decrypt a token, it sends the sealed DEK to KMS, KMS unseals it, and the unsealed DEK lives in memory just long enough to decrypt the token — never on disk.

The DEK-per-seller model means rotation is easy (rotate one seller's DEK without touching others) and blast radius is small (compromise one DEK, you've compromised one seller's tokens, not all sellers').