CASI

Complex Adaptive Systems Intelligence

Adaptive Resonance Technologies

No Active Session

Member Onboarding

Set up your encryption credentials. Your password never leaves your browser.

1
Identity
2
Password
3
Backup Key
4
Complete
🔒

Choose a strong password. You'll only need it twice — now (onboarding) and when you offboard. After this step, your encryption key is cached securely in your browser.

⚠️

Save your backup key now. This is the only time it will be shown in full. Store it according to the escrow policy below.

Escrow Policy

Onboarding Complete

Your encryption key has been derived and cached in your browser. You won't need your password again until offboarding.

Name
Identity
Key Fingerprint
Session Active

Encryption Dashboard

Test your encryption key and verify it's working correctly.

🔑

No Active Session

Complete onboarding first to activate your encryption key.

Member Offboarding

Securely destroy your encryption credentials and complete departure.

🚪

No Active Session

You need an active session to offboard. Complete onboarding if you haven't already.

How We Keep You Safe

Transparency about our encryption architecture — what we protect and how.

🧮

Your Password, Your Key

When you onboard, your password is used to derive a unique encryption key through a computationally intensive process (hundreds of thousands of iterations). This happens entirely in your browser — your password is never transmitted, stored on any server, or seen by anyone at CASI.

🔐

Military-Grade Encryption

Your data is encrypted with AES-256-GCM, the same standard used by governments and financial institutions worldwide. Each piece of data gets a unique initialization vector, ensuring that identical inputs produce different encrypted outputs.

🌐

Zero-Knowledge Architecture

Our servers never have access to your encryption key or your unencrypted data. We can store and deliver your encrypted data, but we cannot read it. Only someone with your derived key can decrypt your information.

🛡️

Network-Level Protection

This portal is accessible only through our private network overlay. Every connection is authenticated before it reaches our servers. Unauthorized devices simply cannot see or interact with our infrastructure.

💾

Backup Key Escrow

During onboarding, you receive a backup key. For internal members, this is securely stored in our enterprise password vault. For external partners, you maintain custody of your own backup. This ensures recoverability without compromising security.

🚨

Emergency Response

If a security incident occurs, administrators can immediately revoke network access, cutting off all connections to CASI infrastructure within seconds. This multi-layered approach ensures rapid response to any threat.

⚠️ Emergency Deactivation

Administrator-only. Immediately revoke a member's access to all CASI systems.

Escalation Levels

Level 1 Reversible

Remove from Tailscale ACL

Remove the user's email from group:casi-members in the Tailscale admin console. Immediately cuts off all SSH, HTTPS, and service access to CASI resources.

  1. Open Tailscale Admin Console → Access Controls
  2. Find "group:casi-members" in the ACL policy
  3. Remove the user's email address
  4. Save the policy
Effect: Immediate loss of all tailnet access. User can no longer reach any ART service including this portal.
Level 2 Reversible

Remove Tailscale Device

Delete the user's device from the Tailscale machine list. The device can no longer connect to the tailnet.

  1. Open Tailscale Admin Console → Machines
  2. Find the user's device(s)
  3. Click Remove
Effect: Device deauthorized. Re-adding requires admin approval.
Level 3 ⚠️ Impacts All Users

Rotate Deployment Salt

Changes the server-side salt used in password-based key derivation. Invalidates all password-derived keys across the organization.

  1. Generate a new deployment salt
  2. Update the environment variable on the target service
  3. Restart the service
  4. All members must re-onboard
Effect: All existing password-derived keys become invalid. Requires full re-onboarding of all members.
Level 4 ☢️ NUCLEAR — Irreversible

Delete PBS Encryption Key

Remove the backup encryption keyfile from Bitwarden and the Proxmox host. Backups become permanently unrecoverable.

  1. Delete PBS-Encryption-Key from Bitwarden vault
  2. Delete /etc/pve/priv/storage/pbs-art-backup.keyfile on ART-Infra1
  3. Future backups will fail — reconfigure with a new key
Effect: All encrypted backups become permanently unrecoverable. Only use in catastrophic breach scenarios.