# Encrypting Sensitive Data

DecisionRules allows you to encrypt sensitive data in your application. Examples of sensitive data include:

* Database passwords
* Webhook keys
* API tokens
* Other credentials

By default, sensitive data is **not encrypted**. To enable encryption, you need to define the following environment variables:

* `ENCRYPTION_KEY_VERSION`
* `ENCRYPTION_KEY_[VERSION]`

### Setting Up Encryption

1. **Define your encryption key version**\
   The value of `ENCRYPTION_KEY_VERSION` can be any string (for example, `1`).
2. **Define the actual encryption key**\
   The encryption key must be exactly **32 characters long**.
3. **Example environment variables**:

```env
ENCRYPTION_KEY_VERSION=1
ENCRYPTION_KEY_1=21dsadas4examplekeystringof32char
```

{% hint style="info" %}
If sensitive data was already filled **before** setting these environment variables, all existing data will be **rotated and encrypted** once the variables are configured.
{% endhint %}

***

### Rotating Encryption Keys

To rotate data with a new encryption key:

1. **Keep the old key** for the previous version (e.g., `ENCRYPTION_KEY_1`).
2. **Set a new version and key**:

```env
ENCRYPTION_KEY_VERSION=2
ENCRYPTION_KEY_2=etertasddterexamplekeystringof32char
```

* This tells DecisionRules that all **newly created data** will use version `2`.
* Existing data with version `1` will still use the old key until rotation is performed.

#### Rotating Existing Data

To re-encrypt all existing data to the new key version:

1. Call the endpoint:
2. After the rotation, all data will use the **current encryption key version**.
3. You can then safely remove the old key environment variable (e.g., `ENCRYPTION_KEY_1`).

## Rotate encryption keys

> Re-encrypts all existing sensitive data to use the current encryption key version. Requires a valid service token for authorization.<br>

```json
{"openapi":"3.1.0","info":{"title":"DecisionRules Service API","version":"1.0.0"},"servers":[{"url":"https://serverendpoint"}],"security":[{"ServiceTokenAuth":[]}],"components":{"securitySchemes":{"ServiceTokenAuth":{"type":"apiKey","in":"header","name":"Authorization","description":"Service authorization token defined by SERVICE_TOKEN env variable. Example: `Authorization: ServiceToken <SERVICE_TOKEN>`\n"}}},"paths":{"/service/rotate-keys":{"patch":{"summary":"Rotate encryption keys","description":"Re-encrypts all existing sensitive data to use the current encryption key version. Requires a valid service token for authorization.\n","operationId":"rotateKeys","responses":{"200":{"description":"Keys rotated successfully","content":{"text/plain":{"schema":{"type":"string"}}}},"401":{"description":"Authentication bearer token invalid"},"500":{"description":"Internal server error"}}}}}}
```

***

### Best Practices

* Always **keep old keys** until all data is rotated.
* Use **strong, random keys** exactly 32 characters long.
* Rotate keys regularly to improve security.
* Only authorized services should access the key rotation endpoint.