Critical

Encrypt Database Fields with AI Prompts

February 2026

TL;DR

Field-level encryption protects sensitive data even if your database is compromised. These prompts help you encrypt PII, payment info, and secrets using AES-256 with proper key management. Encryption at rest complements but doesn't replace this.

Application-Level Encryption

Copy this prompt to generate a field encryption utility with AES-256-GCM. Your AI will create encrypt and decrypt functions, ORM middleware for automatic encryption/decryption, a deterministic mode for searchable fields, and a migration helper for encrypting existing data.

AI Prompt

Field Encryption Helper

Create a field encryption utility for my application.

Language: TypeScript/JavaScript/Python

Requirements:

  1. AES-256-GCM encryption (authenticated)
  2. Unique IV for each encryption
  3. Key from environment variable
  4. Deterministic option for searchable fields
  5. TypeScript types for encrypted fields

Fields to encrypt:

  • SSN (searchable - need deterministic)
  • Address (not searchable)
  • Phone number (searchable)
  • Notes (not searchable)

Create:

  1. encrypt(plaintext, options) function
  2. decrypt(ciphertext) function
  3. Prisma/ORM middleware for automatic encryption
  4. Migration helper for encrypting existing data

Store as: base64 string or binary depending on database.

Key Management

Use this prompt to set up proper encryption key management with rotation support. Your AI will generate secure 256-bit keys, configure per-environment key storage via a secrets manager, and build a key rotation system that re-encrypts data with versioned key IDs.

AI Prompt

Encryption Key Setup

Set up proper encryption key management.

Current issues:

  • Key hardcoded in code
  • Same key for all environments
  • No key rotation plan

Implement:

  1. Generate secure 256-bit key
  2. Store in secrets manager
  3. Different keys per environment
  4. Key rotation capability

Options based on infrastructure:

  • AWS KMS for key management
  • HashiCorp Vault
  • Environment variables (minimum)
  • Doppler/Infisical for secrets

For key rotation:

  1. Support multiple keys (with key ID)
  2. Re-encrypt data on read with new key
  3. Background job to re-encrypt all data
  4. Audit which key encrypted what

Show implementation for my platform: AWS/Vercel/Railway

ORM Integration

This prompt asks your AI to create Prisma middleware that automatically encrypts and decrypts specified fields. You'll get transparent encryption on create/update, decryption on read, TypeScript type safety, and handling for edge cases like batch operations and nested creates.

AI Prompt

Prisma Encryption Middleware

Create Prisma middleware for automatic field encryption.

Encrypted fields:

  • User.ssn
  • User.address
  • PaymentMethod.lastFour (actually store encrypted full number)
  • Document.content

The middleware should:

  1. Automatically encrypt on create/update
  2. Automatically decrypt on read
  3. Handle null values
  4. Work with findMany, findUnique, create, update
  5. Not break TypeScript types

Also create:

  1. Schema annotations or config for encrypted fields
  2. Validation that encrypted fields aren't accidentally exposed
  3. Logging that doesn't reveal decrypted values
  4. Test helpers for working with encrypted data

Handle edge cases:

  • Batch operations (createMany)
  • Raw queries (warn or error)
  • Nested creates/updates

Encryption isn't access control: If your app can decrypt the data, so can an attacker who compromises your app. Encryption protects against database breaches and backups, not application-level attacks.

Searchable Encryption

Paste this prompt to implement searchable encryption using blind indexes. Your AI will generate code that stores an HMAC-based search index alongside each encrypted field, enabling exact-match lookups on email, phone, and SSN without decrypting the data.

AI Prompt

Searchable Encrypted Fields

Implement searchable encryption for sensitive fields.

Need to search by:

  • Email (exact match)
  • Phone number (exact match)
  • SSN (exact match)
  • Name (can't easily search encrypted)

Approaches:

  1. Blind index - hash of value for searching
  2. Deterministic encryption - same input = same output
  3. Encrypted search index

Implement blind index approach:

  1. Store encrypted value + blind index hash
  2. Search by computing hash of search term
  3. Use HMAC with separate key for blind index
  4. Handle case sensitivity

Trade-offs to explain:

  • Blind index reveals if two values are the same
  • Deterministic encryption has similar trade-off
  • Neither supports partial/fuzzy search

Show migration for adding blind indexes to existing encrypted data.

Pro tip: Consider using a service like CipherStash or Evervault for complex encryption requirements. Building secure encryption is hard, and mistakes can be catastrophic.

Isn't database-level encryption at rest enough?

Encryption at rest protects against physical theft of disks. Field-level encryption protects the data itself. Anyone with database access (including compromised backups or SQL injection) sees encrypted values with field-level encryption.

Should I encrypt everything?

No. Encrypt PII, financial data, health info, and secrets. Encrypting everything adds complexity and breaks searching/indexing. Focus on data that would cause harm if leaked.

Further Reading

Want to understand the vulnerability before fixing it? These guides explain what's happening and why.

Related Articles

Encrypt Sensitive Data

General encryption patterns

Secure DB Connection

Protect data in transit

Find Unencrypted Sensitive Data

Scan your database schema for fields that should be encrypted.

AI Fix Prompts

Encrypt Database Fields with AI Prompts