Encrypting Sensitive Data

Guide to encrypting sensitive data in DecisionRules, including setting up keys, rotating them, and using the key rotation API.

DecisionRules allows you to encrypt sensitive data in your application. Examples of sensitive data include:

  • Database passwords

  • Webhook keys

  • API tokens

  • Other credentials

By default, sensitive data is not encrypted. To enable encryption, you need to define the following environment variables:

  • ENCRYPTION_KEY_VERSION

  • ENCRYPTION_KEY_[VERSION]

Setting Up Encryption

  1. Define your encryption key version The value of ENCRYPTION_KEY_VERSION can be any string (for example, 1).

  2. Define the actual encryption key The encryption key must be exactly 32 characters long.

  3. Example environment variables:

ENCRYPTION_KEY_VERSION=1
ENCRYPTION_KEY_1=21dsadas4examplekeystringof32char

If sensitive data was already filled before setting these environment variables, all existing data will be rotated and encrypted once the variables are configured.


Rotating Encryption Keys

To rotate data with a new encryption key:

  1. Keep the old key for the previous version (e.g., ENCRYPTION_KEY_1).

  2. Set a new version and key:

ENCRYPTION_KEY_VERSION=2
ENCRYPTION_KEY_2=etertasddterexamplekeystringof32char
  • This tells DecisionRules that all newly created data will use version 2.

  • Existing data with version 1 will still use the old key until rotation is performed.

Rotating Existing Data

To re-encrypt all existing data to the new key version:

  1. Call the endpoint:

  2. After the rotation, all data will use the current encryption key version.

  3. You can then safely remove the old key environment variable (e.g., ENCRYPTION_KEY_1).

Rotate encryption keys

patch

Re-encrypts all existing sensitive data to use the current encryption key version. Requires a valid service token for authorization.

Authorizations
Responses
200

Keys rotated successfully

text/plain
ResponsestringExample: 42 Keys rotated!
patch
PATCH /service/rotate-keys HTTP/1.1
Host: serverendpoint
Authorization: YOUR_API_KEY
Accept: */*
42 Keys rotated!

Best Practices

  • Always keep old keys until all data is rotated.

  • Use strong, random keys exactly 32 characters long.

  • Rotate keys regularly to improve security.

  • Only authorized services should access the key rotation endpoint.

Last updated

Was this helpful?