# Encrypting Sensitive Data

DecisionRules allows you to encrypt sensitive data in your application. Examples of sensitive data include:

* Database passwords
* Webhook keys
* API tokens
* Other credentials

By default, sensitive data is **not encrypted**. To enable encryption, you need to define the following environment variables:

* `ENCRYPTION_KEY_VERSION`
* `ENCRYPTION_KEY_[VERSION]`

### Setting Up Encryption

1. **Define your encryption key version**\
   The value of `ENCRYPTION_KEY_VERSION` can be any string (for example, `1`).
2. **Define the actual encryption key**\
   The encryption key must be exactly **32 characters long**.
3. **Example environment variables**:

```env
ENCRYPTION_KEY_VERSION=1
ENCRYPTION_KEY_1=21dsadas4examplekeystringof32char
```

{% hint style="info" %}
If sensitive data was already filled **before** setting these environment variables, all existing data will be **rotated and encrypted** once the variables are configured.
{% endhint %}

***

### Rotating Encryption Keys

To rotate data with a new encryption key:

1. **Keep the old key** for the previous version (e.g., `ENCRYPTION_KEY_1`).
2. **Set a new version and key**:

```env
ENCRYPTION_KEY_VERSION=2
ENCRYPTION_KEY_2=etertasddterexamplekeystringof32char
```

* This tells DecisionRules that all **newly created data** will use version `2`.
* Existing data with version `1` will still use the old key until rotation is performed.

#### Rotating Existing Data

To re-encrypt all existing data to the new key version:

1. Call the endpoint:
2. After the rotation, all data will use the **current encryption key version**.
3. You can then safely remove the old key environment variable (e.g., `ENCRYPTION_KEY_1`).

## Rotate encryption keys

> Re-encrypts all existing sensitive data to use the current encryption key version. Requires a valid service token for authorization.<br>

```json
{"openapi":"3.1.0","info":{"title":"DecisionRules Service API","version":"1.0.0"},"servers":[{"url":"https://serverendpoint"}],"security":[{"ServiceTokenAuth":[]}],"components":{"securitySchemes":{"ServiceTokenAuth":{"type":"apiKey","in":"header","name":"Authorization","description":"Service authorization token defined by SERVICE_TOKEN env variable. Example: `Authorization: ServiceToken <SERVICE_TOKEN>`\n"}}},"paths":{"/service/rotate-keys":{"patch":{"summary":"Rotate encryption keys","description":"Re-encrypts all existing sensitive data to use the current encryption key version. Requires a valid service token for authorization.\n","operationId":"rotateKeys","responses":{"200":{"description":"Keys rotated successfully","content":{"text/plain":{"schema":{"type":"string"}}}},"401":{"description":"Authentication bearer token invalid"},"500":{"description":"Internal server error"}}}}}}
```

***

### Best Practices

* Always **keep old keys** until all data is rotated.
* Use **strong, random keys** exactly 32 characters long.
* Rotate keys regularly to improve security.
* Only authorized services should access the key rotation endpoint.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.decisionrules.io/doc/other-deployment-options/docker-and-on-premise/encrypting-sensitive-data.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.