Encrypting Sensitive Data

DecisionRules allows you to encrypt sensitive data in your application. Examples of sensitive data include:

• Database passwords

• Webhook keys

• API tokens

• Other credentials

By default, sensitive data is not encrypted. To enable encryption, you need to define the following environment variables:

• ENCRYPTION_KEY_VERSION

• ENCRYPTION_KEY_[VERSION]

Setting Up Encryption

1. Define your encryption key version The value of ENCRYPTION_KEY_VERSION can be any string (for example, 1).

2. Define the actual encryption key The encryption key must be exactly 32 characters long.

3. Example environment variables:

ENCRYPTION_KEY_VERSION=1
ENCRYPTION_KEY_1=21dsadas4examplekeystringof32char

Rotating Encryption Keys

To rotate data with a new encryption key:

1. Keep the old key for the previous version (e.g., ENCRYPTION_KEY_1).

2. Set a new version and key:

ENCRYPTION_KEY_VERSION=2
ENCRYPTION_KEY_2=etertasddterexamplekeystringof32char

• This tells DecisionRules that all newly created data will use version 2.

• Existing data with version 1 will still use the old key until rotation is performed.

Rotating Existing Data

To re-encrypt all existing data to the new key version:

1. Call the endpoint:

2. After the rotation, all data will use the current encryption key version.

3. You can then safely remove the old key environment variable (e.g., ENCRYPTION_KEY_1).

PATCH /service/rotate-keys HTTP/1.1
Host: serverendpoint
Authorization: YOUR_API_KEY
Accept: */*

42 Keys rotated!

Best Practices

• Always keep old keys until all data is rotated.

• Use strong, random keys exactly 32 characters long.

• Rotate keys regularly to improve security.

• Only authorized services should access the key rotation endpoint.