Encrypting Sensitive Data

Guide to encrypting sensitive data in DecisionRules, including setting up keys, rotating them, and using the key rotation API.

DecisionRules allows you to encrypt sensitive data in your application. Examples of sensitive data include:

Database passwords
Webhook keys
API tokens
Other credentials

By default, sensitive data is not encrypted. To enable encryption, you need to define the following environment variables:

ENCRYPTION_KEY_VERSION
ENCRYPTION_KEY_[VERSION]

Setting Up Encryption

Define your encryption key version The value of ENCRYPTION_KEY_VERSION can be any string (for example, 1).
Define the actual encryption key The encryption key must be exactly 32 characters long.
Example environment variables:

ENCRYPTION_KEY_VERSION=1
ENCRYPTION_KEY_1=21dsadas4examplekeystringof32char

If sensitive data was already filled before setting these environment variables, all existing data will be rotated and encrypted once the variables are configured.

Rotating Encryption Keys

To rotate data with a new encryption key:

Keep the old key for the previous version (e.g., ENCRYPTION_KEY_1).
Set a new version and key:

ENCRYPTION_KEY_VERSION=2
ENCRYPTION_KEY_2=etertasddterexamplekeystringof32char

This tells DecisionRules that all newly created data will use version 2.
Existing data with version 1 will still use the old key until rotation is performed.

Rotating Existing Data

To re-encrypt all existing data to the new key version:

Call the endpoint:
After the rotation, all data will use the current encryption key version.
You can then safely remove the old key environment variable (e.g., ENCRYPTION_KEY_1).

Rotate encryption keys

patch

Re-encrypts all existing sensitive data to use the current encryption key version. Requires a valid service token for authorization.

Authorizations

AuthorizationstringRequired

Service authorization token defined by SERVICE_TOKEN env variable. Example: Authorization: ServiceToken <SERVICE_TOKEN>

Responses

200

Keys rotated successfully

text/plain

ResponsestringExample: 42 Keys rotated!

401

Authentication bearer token invalid

500

Internal server error

patch

/service/rotate-keys

PATCH /service/rotate-keys HTTP/1.1
Host: serverendpoint
Authorization: YOUR_API_KEY
Accept: */*

42 Keys rotated!

Best Practices

Always keep old keys until all data is rotated.
Use strong, random keys exactly 32 characters long.
Rotate keys regularly to improve security.
Only authorized services should access the key rotation endpoint.

Last updated 4 months ago

Was this helpful?

hashtagSetting Up Encryption

hashtagRotating Encryption Keys

hashtagRotating Existing Data

hashtagRotate encryption keys

hashtagBest Practices

Setting Up Encryption

Rotating Encryption Keys

Rotating Existing Data

Rotate encryption keys

Best Practices