Argon2id
The OWASP-recommended password hashing algorithm — winner of the 2015 Password Hashing Competition. Combines memory-hardness (Argon2d) with side-channel resistance (Argon2i). VULK hashes every user password with Argon2id in vulk-api-engine.
Argon2id
Argon2id is the password-hashing function recommended by OWASP for new applications, and the default winner of the 2015 Password Hashing Competition. It is a hybrid of Argon2d (which is memory-hard and resists GPU / ASIC brute-force well) and Argon2i (which resists side-channel timing attacks), getting both properties at once. The OWASP 2024 baseline parameters are roughly m = 19 MiB, t = 2, p = 1, producing a hash that takes ~50 ms on commodity hardware while requiring 19 MiB of RAM per attempt — which collapses GPU-based attacks.
VULK uses Argon2id for every password hash in vulk-api-engine, stored in the password_hash column. The legacy password column is never used. On registration the password is hashed server-side with the OWASP parameters, the resulting $argon2id$... PHC string is saved, and on login argon2.verify runs against the stored hash. Bcrypt and SHA-* are not accepted anywhere in the stack.
AWS KMS Envelope Encryption
A two-layer encryption pattern where each piece of data is encrypted with a unique data key, and that data key is itself encrypted by a master key in AWS KMS. Combines KMS's audit / rotation guarantees with the throughput of local encryption.
Support Levels
Support options and response times for each VULK plan.