Enterprise Video Encryption Standards
Video requires encryption at every stage: when it's moving (transit), when it's stored (rest), and ideally when it's being processed (in use). This guide covers encryption standards for enterprise video processing.
Encryption in Transit
All video moving over networks must be encrypted:
TLS Requirements
- TLS 1.3: Required for all connections
- TLS 1.2: Supported with strong cipher suites only
- TLS 1.1 and below: Not supported
Cipher Suites
We support only modern, secure ciphers:
- TLS_AES_256_GCM_SHA384 (TLS 1.3)
- TLS_CHACHA20_POLY1305_SHA256 (TLS 1.3)
- ECDHE + AES-256-GCM (TLS 1.2)
Certificate Pinning
SDKs implement certificate pinning to prevent MITM attacks. Even if a CA is compromised, our SDK won't accept a fraudulent certificate.
Upload Integrity
Chunked uploads include:
- Per-chunk checksums
- Resume capability without re-upload
- Final hash verification
Encryption at Rest
Any video that touches storage is encrypted:
Standard: AES-256-GCM
- 256-bit keys
- Galois/Counter Mode for authenticated encryption
- NIST-approved, FIPS 140-2 validated
Key Hierarchy
Root Key (HSM)
└── Data Encryption Key (per customer)
└── File Key (per video)
Each video has its own key, derived from your customer key, derived from the root.
Key Management
- HSM storage: Root keys never leave hardware security module
- Key rotation: Automatic rotation on schedule
- Key destruction: On customer deletion, keys are destroyed
Customer-Managed Keys (Enterprise)
On enterprise tiers, bring your own keys:
- Keys stored in your cloud KMS (AWS KMS, Azure Key Vault, GCP KMS)
- We request decryption permission per-job
- You can revoke access instantly
- Full key lifecycle in your control
Encryption in Use (Confidential Computing)
The hardest problem: protecting video while it's being processed.
The Challenge
Traditional processing requires decrypted video in memory. Anyone with memory access (compromised server, malicious insider) could access it.
BetterVideo's Approach
We mitigate this through:
- Ephemeral processing: Video is in memory briefly, then gone
- Memory isolation: Each job runs in isolated process space
- Container destruction: Processing containers destroyed after job
- GPU memory clearing: GPU memory wiped between jobs
True Confidential Computing (Enterprise)
For maximum protection, enterprise tiers offer:
- AMD SEV-SNP: Encrypted memory, hardware-attested
- Intel SGX: Encrypted enclaves for sensitive processing
- Attestation: Cryptographic proof of processing environment
Frequently Asked Questions
TLS 1.3 for transit, AES-256-GCM for storage. Per-customer keys, HSM management, and optional customer-managed keys on enterprise tiers.
Yes — enterprise tiers support customer-managed keys through AWS KMS, Azure Key Vault, or GCP KMS.
We use ephemeral containers and memory isolation. For maximum protection, enterprise tiers offer confidential computing with AMD SEV-SNP or Intel SGX.
Ready to get started?
Try BetterVideo's privacy-first video enhancement API — free sandbox, no credit card required.