diff --git a/Makefile b/Makefile
index 7cb5ed6b9b..e737c40135 100644
--- a/Makefile
+++ b/Makefile
@@ -195,6 +195,8 @@ protobuild:
 	@protoc-go-inject-tag -input=./internal/auth/ldap/store/ldap.pb.go
 	@protoc-go-inject-tag -input=./internal/gen/controller/servers/services/upstream_message_service.pb.go
 	@protoc-go-inject-tag -input=./internal/storage/plugin/store/storage.pb.go
+	@protoc-go-inject-tag -input=./internal/policy/storage/store/policy.pb.go
+	@protoc-go-inject-tag -input=./internal/policy/store/policy.pb.go
 
 	# inject classification tags (see: https://github.com/hashicorp/go-eventlogger/tree/main/filters/encrypt)
 	@protoc-go-inject-tag -input=./internal/gen/controller/api/services/auth_method_service.pb.go
diff --git a/globals/prefixes.go b/globals/prefixes.go
index 93e859194a..afd706c871 100644
--- a/globals/prefixes.go
+++ b/globals/prefixes.go
@@ -124,6 +124,9 @@ const (
 	ConnectionRecordingPrefix = "cr"
 	// ChannelRecordingPrefix is the prefix for channel recordings
 	ChannelRecordingPrefix = "chr"
+
+	// StoragePolicyPrefix for storage policies.
+	StoragePolicyPrefix = "pst"
 )
 
 type ResourceInfo struct {
diff --git a/internal/policy/policy.go b/internal/policy/policy.go
new file mode 100644
index 0000000000..02cb4e4b55
--- /dev/null
+++ b/internal/policy/policy.go
@@ -0,0 +1,12 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package policy
+
+import "github.com/hashicorp/boundary/internal/boundary"
+
+// Policy contains the common methods across all the different types of policies.
+type Policy interface {
+	boundary.Resource
+	GetScopeId() string
+}
diff --git a/internal/policy/storage/store/policy.pb.go b/internal/policy/storage/store/policy.pb.go
new file mode 100644
index 0000000000..31bb1df5d4
--- /dev/null
+++ b/internal/policy/storage/store/policy.pb.go
@@ -0,0 +1,304 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.31.0
+// 	protoc        (unknown)
+// source: controller/storage/policy/storage/store/v1/policy.proto
+
+// Package store provides protobufs for storing types in the static
+// credential package.
+
+package store
+
+import (
+	timestamp "github.com/hashicorp/boundary/internal/db/timestamp"
+	_ "github.com/hashicorp/boundary/sdk/pbs/controller/protooptions"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type Policy struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// public_id is a surrogate key suitable for use in a public API.
+	// @inject_tag: `gorm:"primary_key"`
+	PublicId string `protobuf:"bytes,1,opt,name=public_id,json=publicId,proto3" json:"public_id,omitempty" gorm:"primary_key"`
+	// scope_id must be either global or an org scope.
+	// @inject_tag: `gorm:"not_null"`
+	ScopeId string `protobuf:"bytes,2,opt,name=scope_id,json=scopeId,proto3" json:"scope_id,omitempty" gorm:"not_null"`
+	// retain_for_days is the number of days for which a session recording will be
+	// retained. Must be provided.
+	// @inject_tag: `gorm:"not_null"`
+	RetainForDays int64 `protobuf:"varint,3,opt,name=retain_for_days,json=retainForDays,proto3" json:"retain_for_days,omitempty" gorm:"not_null"`
+	// retain_for_days_overridable signals whether this storage policy's retention
+	// duration can be overridden.
+	RetainForDaysOverridable bool `protobuf:"varint,4,opt,name=retain_for_days_overridable,json=retainForDaysOverridable,proto3" json:"retain_for_days_overridable,omitempty"`
+	// delete_after_days is the number of days after which a session recording
+	// will be automatically deleted.
+	// @inject_tag: `gorm:"not_null"`
+	DeleteAfterDays int64 `protobuf:"varint,5,opt,name=delete_after_days,json=deleteAfterDays,proto3" json:"delete_after_days,omitempty" gorm:"not_null"`
+	// delete_after_days_overridable signals whether this storage policy's
+	// deletion policy can be overridden.
+	DeleteAfterDaysOverridable bool `protobuf:"varint,6,opt,name=delete_after_days_overridable,json=deleteAfterDaysOverridable,proto3" json:"delete_after_days_overridable,omitempty"`
+	// name is optional.
+	// @inject_tag: `gorm:"default:null"`
+	Name string `protobuf:"bytes,7,opt,name=name,proto3" json:"name,omitempty" gorm:"default:null"`
+	// description is optional.
+	// @inject_tag: `gorm:"default:null"`
+	Description string `protobuf:"bytes,8,opt,name=description,proto3" json:"description,omitempty" gorm:"default:null"`
+	// The create_time is set by the database.
+	// @inject_tag: `gorm:"default:current_timestamp"`
+	CreateTime *timestamp.Timestamp `protobuf:"bytes,9,opt,name=create_time,json=createTime,proto3" json:"create_time,omitempty" gorm:"default:current_timestamp"`
+	// The update_time is set by the database.
+	// @inject_tag: `gorm:"default:current_timestamp"`
+	UpdateTime *timestamp.Timestamp `protobuf:"bytes,10,opt,name=update_time,json=updateTime,proto3" json:"update_time,omitempty" gorm:"default:current_timestamp"`
+	// version allows optimistic locking of the resource.
+	// @inject_tag: `gorm:"default:null"`
+	Version uint32 `protobuf:"varint,11,opt,name=version,proto3" json:"version,omitempty" gorm:"default:null"`
+}
+
+func (x *Policy) Reset() {
+	*x = Policy{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_controller_storage_policy_storage_store_v1_policy_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *Policy) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Policy) ProtoMessage() {}
+
+func (x *Policy) ProtoReflect() protoreflect.Message {
+	mi := &file_controller_storage_policy_storage_store_v1_policy_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Policy.ProtoReflect.Descriptor instead.
+func (*Policy) Descriptor() ([]byte, []int) {
+	return file_controller_storage_policy_storage_store_v1_policy_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *Policy) GetPublicId() string {
+	if x != nil {
+		return x.PublicId
+	}
+	return ""
+}
+
+func (x *Policy) GetScopeId() string {
+	if x != nil {
+		return x.ScopeId
+	}
+	return ""
+}
+
+func (x *Policy) GetRetainForDays() int64 {
+	if x != nil {
+		return x.RetainForDays
+	}
+	return 0
+}
+
+func (x *Policy) GetRetainForDaysOverridable() bool {
+	if x != nil {
+		return x.RetainForDaysOverridable
+	}
+	return false
+}
+
+func (x *Policy) GetDeleteAfterDays() int64 {
+	if x != nil {
+		return x.DeleteAfterDays
+	}
+	return 0
+}
+
+func (x *Policy) GetDeleteAfterDaysOverridable() bool {
+	if x != nil {
+		return x.DeleteAfterDaysOverridable
+	}
+	return false
+}
+
+func (x *Policy) GetName() string {
+	if x != nil {
+		return x.Name
+	}
+	return ""
+}
+
+func (x *Policy) GetDescription() string {
+	if x != nil {
+		return x.Description
+	}
+	return ""
+}
+
+func (x *Policy) GetCreateTime() *timestamp.Timestamp {
+	if x != nil {
+		return x.CreateTime
+	}
+	return nil
+}
+
+func (x *Policy) GetUpdateTime() *timestamp.Timestamp {
+	if x != nil {
+		return x.UpdateTime
+	}
+	return nil
+}
+
+func (x *Policy) GetVersion() uint32 {
+	if x != nil {
+		return x.Version
+	}
+	return 0
+}
+
+var File_controller_storage_policy_storage_store_v1_policy_proto protoreflect.FileDescriptor
+
+var file_controller_storage_policy_storage_store_v1_policy_proto_rawDesc = []byte{
+	0x0a, 0x37, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x6c, 0x65, 0x72, 0x2f, 0x73, 0x74, 0x6f,
+	0x72, 0x61, 0x67, 0x65, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x73, 0x74, 0x6f, 0x72,
+	0x61, 0x67, 0x65, 0x2f, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x70, 0x6f, 0x6c,
+	0x69, 0x63, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x2a, 0x63, 0x6f, 0x6e, 0x74, 0x72,
+	0x6f, 0x6c, 0x6c, 0x65, 0x72, 0x2e, 0x73, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x2e, 0x70, 0x6f,
+	0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x2e, 0x73, 0x74, 0x6f,
+	0x72, 0x65, 0x2e, 0x76, 0x31, 0x1a, 0x2a, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x6c, 0x65,
+	0x72, 0x2f, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73,
+	0x2f, 0x76, 0x31, 0x2f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x1a, 0x2f, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x6c, 0x65, 0x72, 0x2f, 0x73, 0x74,
+	0x6f, 0x72, 0x61, 0x67, 0x65, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2f,
+	0x76, 0x31, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f,
+	0x74, 0x6f, 0x22, 0xb2, 0x04, 0x0a, 0x06, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x1b, 0x0a,
+	0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x08, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x49, 0x64, 0x12, 0x19, 0x0a, 0x08, 0x73, 0x63,
+	0x6f, 0x70, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x73, 0x63,
+	0x6f, 0x70, 0x65, 0x49, 0x64, 0x12, 0x26, 0x0a, 0x0f, 0x72, 0x65, 0x74, 0x61, 0x69, 0x6e, 0x5f,
+	0x66, 0x6f, 0x72, 0x5f, 0x64, 0x61, 0x79, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0d,
+	0x72, 0x65, 0x74, 0x61, 0x69, 0x6e, 0x46, 0x6f, 0x72, 0x44, 0x61, 0x79, 0x73, 0x12, 0x3d, 0x0a,
+	0x1b, 0x72, 0x65, 0x74, 0x61, 0x69, 0x6e, 0x5f, 0x66, 0x6f, 0x72, 0x5f, 0x64, 0x61, 0x79, 0x73,
+	0x5f, 0x6f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x04, 0x20, 0x01,
+	0x28, 0x08, 0x52, 0x18, 0x72, 0x65, 0x74, 0x61, 0x69, 0x6e, 0x46, 0x6f, 0x72, 0x44, 0x61, 0x79,
+	0x73, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x61, 0x62, 0x6c, 0x65, 0x12, 0x2a, 0x0a, 0x11,
+	0x64, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x5f, 0x61, 0x66, 0x74, 0x65, 0x72, 0x5f, 0x64, 0x61, 0x79,
+	0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0f, 0x64, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x41,
+	0x66, 0x74, 0x65, 0x72, 0x44, 0x61, 0x79, 0x73, 0x12, 0x41, 0x0a, 0x1d, 0x64, 0x65, 0x6c, 0x65,
+	0x74, 0x65, 0x5f, 0x61, 0x66, 0x74, 0x65, 0x72, 0x5f, 0x64, 0x61, 0x79, 0x73, 0x5f, 0x6f, 0x76,
+	0x65, 0x72, 0x72, 0x69, 0x64, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52,
+	0x1a, 0x64, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x41, 0x66, 0x74, 0x65, 0x72, 0x44, 0x61, 0x79, 0x73,
+	0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x61, 0x62, 0x6c, 0x65, 0x12, 0x24, 0x0a, 0x04, 0x6e,
+	0x61, 0x6d, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x42, 0x10, 0xc2, 0xdd, 0x29, 0x0c, 0x0a,
+	0x04, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x52, 0x04, 0x6e, 0x61, 0x6d,
+	0x65, 0x12, 0x40, 0x0a, 0x0b, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e,
+	0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x42, 0x1e, 0xc2, 0xdd, 0x29, 0x1a, 0x0a, 0x0b, 0x44, 0x65,
+	0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x0b, 0x64, 0x65, 0x73, 0x63, 0x72,
+	0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0b, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74,
+	0x69, 0x6f, 0x6e, 0x12, 0x4b, 0x0a, 0x0b, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x5f, 0x74, 0x69,
+	0x6d, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2a, 0x2e, 0x63, 0x6f, 0x6e, 0x74, 0x72,
+	0x6f, 0x6c, 0x6c, 0x65, 0x72, 0x2e, 0x73, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x2e, 0x74, 0x69,
+	0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73,
+	0x74, 0x61, 0x6d, 0x70, 0x52, 0x0a, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x54, 0x69, 0x6d, 0x65,
+	0x12, 0x4b, 0x0a, 0x0b, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x18,
+	0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2a, 0x2e, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x6c,
+	0x65, 0x72, 0x2e, 0x73, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x2e, 0x74, 0x69, 0x6d, 0x65, 0x73,
+	0x74, 0x61, 0x6d, 0x70, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d,
+	0x70, 0x52, 0x0a, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x54, 0x69, 0x6d, 0x65, 0x12, 0x18, 0x0a,
+	0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x07,
+	0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x42, 0x43, 0x5a, 0x41, 0x67, 0x69, 0x74, 0x68, 0x75,
+	0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f,
+	0x62, 0x6f, 0x75, 0x6e, 0x64, 0x61, 0x72, 0x79, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61,
+	0x6c, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x73, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65,
+	0x2f, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x3b, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x62, 0x06, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_controller_storage_policy_storage_store_v1_policy_proto_rawDescOnce sync.Once
+	file_controller_storage_policy_storage_store_v1_policy_proto_rawDescData = file_controller_storage_policy_storage_store_v1_policy_proto_rawDesc
+)
+
+func file_controller_storage_policy_storage_store_v1_policy_proto_rawDescGZIP() []byte {
+	file_controller_storage_policy_storage_store_v1_policy_proto_rawDescOnce.Do(func() {
+		file_controller_storage_policy_storage_store_v1_policy_proto_rawDescData = protoimpl.X.CompressGZIP(file_controller_storage_policy_storage_store_v1_policy_proto_rawDescData)
+	})
+	return file_controller_storage_policy_storage_store_v1_policy_proto_rawDescData
+}
+
+var file_controller_storage_policy_storage_store_v1_policy_proto_msgTypes = make([]protoimpl.MessageInfo, 1)
+var file_controller_storage_policy_storage_store_v1_policy_proto_goTypes = []interface{}{
+	(*Policy)(nil),              // 0: controller.storage.policy.storage.store.v1.Policy
+	(*timestamp.Timestamp)(nil), // 1: controller.storage.timestamp.v1.Timestamp
+}
+var file_controller_storage_policy_storage_store_v1_policy_proto_depIdxs = []int32{
+	1, // 0: controller.storage.policy.storage.store.v1.Policy.create_time:type_name -> controller.storage.timestamp.v1.Timestamp
+	1, // 1: controller.storage.policy.storage.store.v1.Policy.update_time:type_name -> controller.storage.timestamp.v1.Timestamp
+	2, // [2:2] is the sub-list for method output_type
+	2, // [2:2] is the sub-list for method input_type
+	2, // [2:2] is the sub-list for extension type_name
+	2, // [2:2] is the sub-list for extension extendee
+	0, // [0:2] is the sub-list for field type_name
+}
+
+func init() { file_controller_storage_policy_storage_store_v1_policy_proto_init() }
+func file_controller_storage_policy_storage_store_v1_policy_proto_init() {
+	if File_controller_storage_policy_storage_store_v1_policy_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_controller_storage_policy_storage_store_v1_policy_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*Policy); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_controller_storage_policy_storage_store_v1_policy_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   1,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_controller_storage_policy_storage_store_v1_policy_proto_goTypes,
+		DependencyIndexes: file_controller_storage_policy_storage_store_v1_policy_proto_depIdxs,
+		MessageInfos:      file_controller_storage_policy_storage_store_v1_policy_proto_msgTypes,
+	}.Build()
+	File_controller_storage_policy_storage_store_v1_policy_proto = out.File
+	file_controller_storage_policy_storage_store_v1_policy_proto_rawDesc = nil
+	file_controller_storage_policy_storage_store_v1_policy_proto_goTypes = nil
+	file_controller_storage_policy_storage_store_v1_policy_proto_depIdxs = nil
+}
diff --git a/internal/policy/store/policy.pb.go b/internal/policy/store/policy.pb.go
new file mode 100644
index 0000000000..9605f7a2c1
--- /dev/null
+++ b/internal/policy/store/policy.pb.go
@@ -0,0 +1,167 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.31.0
+// 	protoc        (unknown)
+// source: controller/storage/policy/store/v1/policy.proto
+
+// Package store provides protobufs for storing types in the credential package.
+
+package store
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type Store struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// public_id is a surrogate key suitable for use in a public API.
+	// @inject_tag: `gorm:"primary_key"`
+	PublicId string `protobuf:"bytes,1,opt,name=public_id,json=publicId,proto3" json:"public_id,omitempty" gorm:"primary_key"`
+	// The scope_id of the owning org/global. Must be set.
+	// @inject_tag: `gorm:"not_null"`
+	ScopeId string `protobuf:"bytes,2,opt,name=scope_id,json=scopeId,proto3" json:"scope_id,omitempty" gorm:"not_null"`
+}
+
+func (x *Store) Reset() {
+	*x = Store{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_controller_storage_policy_store_v1_policy_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *Store) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Store) ProtoMessage() {}
+
+func (x *Store) ProtoReflect() protoreflect.Message {
+	mi := &file_controller_storage_policy_store_v1_policy_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Store.ProtoReflect.Descriptor instead.
+func (*Store) Descriptor() ([]byte, []int) {
+	return file_controller_storage_policy_store_v1_policy_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *Store) GetPublicId() string {
+	if x != nil {
+		return x.PublicId
+	}
+	return ""
+}
+
+func (x *Store) GetScopeId() string {
+	if x != nil {
+		return x.ScopeId
+	}
+	return ""
+}
+
+var File_controller_storage_policy_store_v1_policy_proto protoreflect.FileDescriptor
+
+var file_controller_storage_policy_store_v1_policy_proto_rawDesc = []byte{
+	0x0a, 0x2f, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x6c, 0x65, 0x72, 0x2f, 0x73, 0x74, 0x6f,
+	0x72, 0x61, 0x67, 0x65, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x73, 0x74, 0x6f, 0x72,
+	0x65, 0x2f, 0x76, 0x31, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x12, 0x22, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x6c, 0x65, 0x72, 0x2e, 0x73, 0x74,
+	0x6f, 0x72, 0x61, 0x67, 0x65, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x73, 0x74, 0x6f,
+	0x72, 0x65, 0x2e, 0x76, 0x31, 0x22, 0x3f, 0x0a, 0x05, 0x53, 0x74, 0x6f, 0x72, 0x65, 0x12, 0x1b,
+	0x0a, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x08, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x49, 0x64, 0x12, 0x19, 0x0a, 0x08, 0x73,
+	0x63, 0x6f, 0x70, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x73,
+	0x63, 0x6f, 0x70, 0x65, 0x49, 0x64, 0x42, 0x3b, 0x5a, 0x39, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62,
+	0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x62,
+	0x6f, 0x75, 0x6e, 0x64, 0x61, 0x72, 0x79, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c,
+	0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2f, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x3b, 0x73, 0x74,
+	0x6f, 0x72, 0x65, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_controller_storage_policy_store_v1_policy_proto_rawDescOnce sync.Once
+	file_controller_storage_policy_store_v1_policy_proto_rawDescData = file_controller_storage_policy_store_v1_policy_proto_rawDesc
+)
+
+func file_controller_storage_policy_store_v1_policy_proto_rawDescGZIP() []byte {
+	file_controller_storage_policy_store_v1_policy_proto_rawDescOnce.Do(func() {
+		file_controller_storage_policy_store_v1_policy_proto_rawDescData = protoimpl.X.CompressGZIP(file_controller_storage_policy_store_v1_policy_proto_rawDescData)
+	})
+	return file_controller_storage_policy_store_v1_policy_proto_rawDescData
+}
+
+var file_controller_storage_policy_store_v1_policy_proto_msgTypes = make([]protoimpl.MessageInfo, 1)
+var file_controller_storage_policy_store_v1_policy_proto_goTypes = []interface{}{
+	(*Store)(nil), // 0: controller.storage.policy.store.v1.Store
+}
+var file_controller_storage_policy_store_v1_policy_proto_depIdxs = []int32{
+	0, // [0:0] is the sub-list for method output_type
+	0, // [0:0] is the sub-list for method input_type
+	0, // [0:0] is the sub-list for extension type_name
+	0, // [0:0] is the sub-list for extension extendee
+	0, // [0:0] is the sub-list for field type_name
+}
+
+func init() { file_controller_storage_policy_store_v1_policy_proto_init() }
+func file_controller_storage_policy_store_v1_policy_proto_init() {
+	if File_controller_storage_policy_store_v1_policy_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_controller_storage_policy_store_v1_policy_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*Store); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_controller_storage_policy_store_v1_policy_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   1,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_controller_storage_policy_store_v1_policy_proto_goTypes,
+		DependencyIndexes: file_controller_storage_policy_store_v1_policy_proto_depIdxs,
+		MessageInfos:      file_controller_storage_policy_store_v1_policy_proto_msgTypes,
+	}.Build()
+	File_controller_storage_policy_store_v1_policy_proto = out.File
+	file_controller_storage_policy_store_v1_policy_proto_rawDesc = nil
+	file_controller_storage_policy_store_v1_policy_proto_goTypes = nil
+	file_controller_storage_policy_store_v1_policy_proto_depIdxs = nil
+}
diff --git a/internal/proto/controller/storage/policy/storage/store/v1/policy.proto b/internal/proto/controller/storage/policy/storage/store/v1/policy.proto
new file mode 100644
index 0000000000..ae81dc84de
--- /dev/null
+++ b/internal/proto/controller/storage/policy/storage/store/v1/policy.proto
@@ -0,0 +1,67 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+syntax = "proto3";
+
+// Package store provides protobufs for storing types in the static
+// credential package.
+package controller.storage.policy.storage.store.v1;
+
+import "controller/custom_options/v1/options.proto";
+import "controller/storage/timestamp/v1/timestamp.proto";
+
+option go_package = "github.com/hashicorp/boundary/internal/policy/storage/store;store";
+
+message Policy {
+  // public_id is a surrogate key suitable for use in a public API.
+  // @inject_tag: `gorm:"primary_key"`
+  string public_id = 1;
+
+  // scope_id must be either global or an org scope.
+  // @inject_tag: `gorm:"not_null"`
+  string scope_id = 2;
+
+  // retain_for_days is the number of days for which a session recording will be
+  // retained. Must be provided.
+  // @inject_tag: `gorm:"not_null"`
+  int64 retain_for_days = 3;
+
+  // retain_for_days_overridable signals whether this storage policy's retention
+  // duration can be overridden.
+  bool retain_for_days_overridable = 4;
+
+  // delete_after_days is the number of days after which a session recording
+  // will be automatically deleted.
+  // @inject_tag: `gorm:"not_null"`
+  int64 delete_after_days = 5;
+
+  // delete_after_days_overridable signals whether this storage policy's
+  // deletion policy can be overridden.
+  bool delete_after_days_overridable = 6;
+
+  // name is optional.
+  // @inject_tag: `gorm:"default:null"`
+  string name = 7 [(custom_options.v1.mask_mapping) = {
+    this: "Name"
+    that: "name"
+  }];
+
+  // description is optional.
+  // @inject_tag: `gorm:"default:null"`
+  string description = 8 [(custom_options.v1.mask_mapping) = {
+    this: "Description"
+    that: "description"
+  }];
+
+  // The create_time is set by the database.
+  // @inject_tag: `gorm:"default:current_timestamp"`
+  timestamp.v1.Timestamp create_time = 9;
+
+  // The update_time is set by the database.
+  // @inject_tag: `gorm:"default:current_timestamp"`
+  timestamp.v1.Timestamp update_time = 10;
+
+  // version allows optimistic locking of the resource.
+  // @inject_tag: `gorm:"default:null"`
+  uint32 version = 11;
+}
diff --git a/internal/proto/controller/storage/policy/store/v1/policy.proto b/internal/proto/controller/storage/policy/store/v1/policy.proto
new file mode 100644
index 0000000000..14c754fa88
--- /dev/null
+++ b/internal/proto/controller/storage/policy/store/v1/policy.proto
@@ -0,0 +1,19 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+syntax = "proto3";
+
+// Package store provides protobufs for storing types in the credential package.
+package controller.storage.policy.store.v1;
+
+option go_package = "github.com/hashicorp/boundary/internal/policy/store;store";
+
+message Store {
+  // public_id is a surrogate key suitable for use in a public API.
+  // @inject_tag: `gorm:"primary_key"`
+  string public_id = 1;
+
+  // The scope_id of the owning org/global. Must be set.
+  // @inject_tag: `gorm:"not_null"`
+  string scope_id = 2;
+}