TL;DR
Field-level encryption protects sensitive data even if your database is compromised. These prompts help you encrypt PII, payment info, and secrets using AES-256 with proper key management. Encryption at rest complements but doesn't replace this.
Application-Level Encryption
Create a field encryption utility for my application.
Language: TypeScript/JavaScript/Python
Requirements:
- AES-256-GCM encryption (authenticated)
- Unique IV for each encryption
- Key from environment variable
- Deterministic option for searchable fields
- TypeScript types for encrypted fields
Fields to encrypt:
- SSN (searchable - need deterministic)
- Address (not searchable)
- Phone number (searchable)
- Notes (not searchable)
Create:
- encrypt(plaintext, options) function
- decrypt(ciphertext) function
- Prisma/ORM middleware for automatic encryption
- Migration helper for encrypting existing data
Store as: base64 string or binary depending on database.
Key Management
Set up proper encryption key management.
Current issues:
- Key hardcoded in code
- Same key for all environments
- No key rotation plan
Implement:
- Generate secure 256-bit key
- Store in secrets manager
- Different keys per environment
- Key rotation capability
Options based on infrastructure:
- AWS KMS for key management
- HashiCorp Vault
- Environment variables (minimum)
- Doppler/Infisical for secrets
For key rotation:
- Support multiple keys (with key ID)
- Re-encrypt data on read with new key
- Background job to re-encrypt all data
- Audit which key encrypted what
Show implementation for my platform: AWS/Vercel/Railway
ORM Integration
Create Prisma middleware for automatic field encryption.
Encrypted fields:
- User.ssn
- User.address
- PaymentMethod.lastFour (actually store encrypted full number)
- Document.content
The middleware should:
- Automatically encrypt on create/update
- Automatically decrypt on read
- Handle null values
- Work with findMany, findUnique, create, update
- Not break TypeScript types
Also create:
- Schema annotations or config for encrypted fields
- Validation that encrypted fields aren't accidentally exposed
- Logging that doesn't reveal decrypted values
- Test helpers for working with encrypted data
Handle edge cases:
- Batch operations (createMany)
- Raw queries (warn or error)
- Nested creates/updates
Encryption isn't access control: If your app can decrypt the data, so can an attacker who compromises your app. Encryption protects against database breaches and backups, not application-level attacks.
Searchable Encryption
Implement searchable encryption for sensitive fields.
Need to search by:
- Email (exact match)
- Phone number (exact match)
- SSN (exact match)
- Name (can't easily search encrypted)
Approaches:
- Blind index - hash of value for searching
- Deterministic encryption - same input = same output
- Encrypted search index
Implement blind index approach:
- Store encrypted value + blind index hash
- Search by computing hash of search term
- Use HMAC with separate key for blind index
- Handle case sensitivity
Trade-offs to explain:
- Blind index reveals if two values are the same
- Deterministic encryption has similar trade-off
- Neither supports partial/fuzzy search
Show migration for adding blind indexes to existing encrypted data.
Pro tip: Consider using a service like CipherStash or Evervault for complex encryption requirements. Building secure encryption is hard, and mistakes can be catastrophic.
Isn't database-level encryption at rest enough?
Encryption at rest protects against physical theft of disks. Field-level encryption protects the data itself. Anyone with database access (including compromised backups or SQL injection) sees encrypted values with field-level encryption.
Should I encrypt everything?
No. Encrypt PII, financial data, health info, and secrets. Encrypting everything adds complexity and breaks searching/indexing. Focus on data that would cause harm if leaked.
Find Unencrypted Sensitive Data
Scan your database schema for fields that should be encrypted.
Start Free Scan