Encrypting Sensitive Data
Guide to encrypting sensitive data in DecisionRules, including setting up keys, rotating them, and using the key rotation API.
DecisionRules allows you to encrypt sensitive data in your application. Examples of sensitive data include:
Database passwords
Webhook keys
API tokens
Other credentials
By default, sensitive data is not encrypted. To enable encryption, you need to define the following environment variables:
ENCRYPTION_KEY_VERSION
ENCRYPTION_KEY_[VERSION]
Setting Up Encryption
Define your encryption key version The value of
ENCRYPTION_KEY_VERSION
can be any string (for example,1
).Define the actual encryption key The encryption key must be exactly 32 characters long.
Example environment variables:
ENCRYPTION_KEY_VERSION=1
ENCRYPTION_KEY_1=21dsadas4examplekeystringof32char
Rotating Encryption Keys
To rotate data with a new encryption key:
Keep the old key for the previous version (e.g.,
ENCRYPTION_KEY_1
).Set a new version and key:
ENCRYPTION_KEY_VERSION=2
ENCRYPTION_KEY_2=etertasddterexamplekeystringof32char
This tells DecisionRules that all newly created data will use version
2
.Existing data with version
1
will still use the old key until rotation is performed.
Rotating Existing Data
To re-encrypt all existing data to the new key version:
Call the endpoint:
After the rotation, all data will use the current encryption key version.
You can then safely remove the old key environment variable (e.g.,
ENCRYPTION_KEY_1
).
Re-encrypts all existing sensitive data to use the current encryption key version. Requires a valid service token for authorization.
Keys rotated successfully
42 Keys rotated!
Authentication bearer token invalid
Internal server error
PATCH /service/rotate-keys HTTP/1.1
Host: serverendpoint
Authorization: YOUR_API_KEY
Accept: */*
42 Keys rotated!
Best Practices
Always keep old keys until all data is rotated.
Use strong, random keys exactly 32 characters long.
Rotate keys regularly to improve security.
Only authorized services should access the key rotation endpoint.
Last updated
Was this helpful?