[{"data":1,"prerenderedAt":470},["ShallowReactive",2],{"blog-prompts/encrypt-database-fields":3},{"id":4,"title":5,"body":6,"category":449,"date":450,"dateModified":451,"description":452,"draft":453,"extension":454,"faq":455,"featured":453,"headerVariant":456,"image":455,"keywords":455,"meta":457,"navigation":458,"ogDescription":459,"ogTitle":455,"path":460,"readTime":455,"schemaOrg":461,"schemaType":462,"seo":463,"sitemap":464,"stem":465,"tags":466,"twitterCard":468,"__hash__":469},"blog/blog/prompts/encrypt-database-fields.md","Encrypt Database Fields with AI Prompts",{"type":7,"value":8,"toc":439},"minimark",[9,16,21,33,107,111,114,191,195,198,272,282,286,289,360,369,385,389,392,413,427],[10,11,12],"tldr",{},[13,14,15],"p",{},"Field-level encryption protects sensitive data even if your database is compromised. These prompts help you encrypt PII, payment info, and secrets using AES-256 with proper key management. Encryption at rest complements but doesn't replace this.",[17,18,20],"h2",{"id":19},"application-level-encryption","Application-Level Encryption",[13,22,23,24,28,29,32],{},"Copy this prompt to generate a field encryption utility with AES-256-GCM. Your AI will create ",[25,26,27],"code",{},"encrypt"," and ",[25,30,31],{},"decrypt"," functions, ORM middleware for automatic encryption/decryption, a deterministic mode for searchable fields, and a migration helper for encrypting existing data.",[34,35,37,40,47,50,69,72,87,90,104],"prompt-box",{"title":36},"Field Encryption Helper",[13,38,39],{},"Create a field encryption utility for my application.",[13,41,42,43],{},"Language: ",[44,45,46],"span",{},"TypeScript/JavaScript/Python",[13,48,49],{},"Requirements:",[51,52,53,57,60,63,66],"ol",{},[54,55,56],"li",{},"AES-256-GCM encryption (authenticated)",[54,58,59],{},"Unique IV for each encryption",[54,61,62],{},"Key from environment variable",[54,64,65],{},"Deterministic option for searchable fields",[54,67,68],{},"TypeScript types for encrypted fields",[13,70,71],{},"Fields to encrypt:",[73,74,75,78,81,84],"ul",{},[54,76,77],{},"SSN (searchable - need deterministic)",[54,79,80],{},"Address (not searchable)",[54,82,83],{},"Phone number (searchable)",[54,85,86],{},"Notes (not searchable)",[13,88,89],{},"Create:",[51,91,92,95,98,101],{},[54,93,94],{},"encrypt(plaintext, options) function",[54,96,97],{},"decrypt(ciphertext) function",[54,99,100],{},"Prisma/ORM middleware for automatic encryption",[54,102,103],{},"Migration helper for encrypting existing data",[13,105,106],{},"Store as: base64 string or binary depending on database.",[17,108,110],{"id":109},"key-management","Key Management",[13,112,113],{},"Use this prompt to set up proper encryption key management with rotation support. Your AI will generate secure 256-bit keys, configure per-environment key storage via a secrets manager, and build a key rotation system that re-encrypts data with versioned key IDs.",[34,115,117,120,123,134,137,151,154,168,171,185],{"title":116},"Encryption Key Setup",[13,118,119],{},"Set up proper encryption key management.",[13,121,122],{},"Current issues:",[73,124,125,128,131],{},[54,126,127],{},"Key hardcoded in code",[54,129,130],{},"Same key for all environments",[54,132,133],{},"No key rotation plan",[13,135,136],{},"Implement:",[51,138,139,142,145,148],{},[54,140,141],{},"Generate secure 256-bit key",[54,143,144],{},"Store in secrets manager",[54,146,147],{},"Different keys per environment",[54,149,150],{},"Key rotation capability",[13,152,153],{},"Options based on infrastructure:",[73,155,156,159,162,165],{},[54,157,158],{},"AWS KMS for key management",[54,160,161],{},"HashiCorp Vault",[54,163,164],{},"Environment variables (minimum)",[54,166,167],{},"Doppler/Infisical for secrets",[13,169,170],{},"For key rotation:",[51,172,173,176,179,182],{},[54,174,175],{},"Support multiple keys (with key ID)",[54,177,178],{},"Re-encrypt data on read with new key",[54,180,181],{},"Background job to re-encrypt all data",[54,183,184],{},"Audit which key encrypted what",[13,186,187,188],{},"Show implementation for my platform: ",[44,189,190],{},"AWS/Vercel/Railway",[17,192,194],{"id":193},"orm-integration","ORM Integration",[13,196,197],{},"This prompt asks your AI to create Prisma middleware that automatically encrypts and decrypts specified fields. You'll get transparent encryption on create/update, decryption on read, TypeScript type safety, and handling for edge cases like batch operations and nested creates.",[34,199,201,204,207,221,224,241,244,258,261],{"title":200},"Prisma Encryption Middleware",[13,202,203],{},"Create Prisma middleware for automatic field encryption.",[13,205,206],{},"Encrypted fields:",[73,208,209,212,215,218],{},[54,210,211],{},"User.ssn",[54,213,214],{},"User.address",[54,216,217],{},"PaymentMethod.lastFour (actually store encrypted full number)",[54,219,220],{},"Document.content",[13,222,223],{},"The middleware should:",[51,225,226,229,232,235,238],{},[54,227,228],{},"Automatically encrypt on create/update",[54,230,231],{},"Automatically decrypt on read",[54,233,234],{},"Handle null values",[54,236,237],{},"Work with findMany, findUnique, create, update",[54,239,240],{},"Not break TypeScript types",[13,242,243],{},"Also create:",[51,245,246,249,252,255],{},[54,247,248],{},"Schema annotations or config for encrypted fields",[54,250,251],{},"Validation that encrypted fields aren't accidentally exposed",[54,253,254],{},"Logging that doesn't reveal decrypted values",[54,256,257],{},"Test helpers for working with encrypted data",[13,259,260],{},"Handle edge cases:",[73,262,263,266,269],{},[54,264,265],{},"Batch operations (createMany)",[54,267,268],{},"Raw queries (warn or error)",[54,270,271],{},"Nested creates/updates",[273,274,275],"warning-box",{},[13,276,277,281],{},[278,279,280],"strong",{},"Encryption isn't access control:"," If your app can decrypt the data, so can an attacker who compromises your app. Encryption protects against database breaches and backups, not application-level attacks.",[17,283,285],{"id":284},"searchable-encryption","Searchable Encryption",[13,287,288],{},"Paste this prompt to implement searchable encryption using blind indexes. Your AI will generate code that stores an HMAC-based search index alongside each encrypted field, enabling exact-match lookups on email, phone, and SSN without decrypting the data.",[34,290,292,295,298,312,315,326,329,343,346,357],{"title":291},"Searchable Encrypted Fields",[13,293,294],{},"Implement searchable encryption for sensitive fields.",[13,296,297],{},"Need to search by:",[73,299,300,303,306,309],{},[54,301,302],{},"Email (exact match)",[54,304,305],{},"Phone number (exact match)",[54,307,308],{},"SSN (exact match)",[54,310,311],{},"Name (can't easily search encrypted)",[13,313,314],{},"Approaches:",[51,316,317,320,323],{},[54,318,319],{},"Blind index - hash of value for searching",[54,321,322],{},"Deterministic encryption - same input = same output",[54,324,325],{},"Encrypted search index",[13,327,328],{},"Implement blind index approach:",[51,330,331,334,337,340],{},[54,332,333],{},"Store encrypted value + blind index hash",[54,335,336],{},"Search by computing hash of search term",[54,338,339],{},"Use HMAC with separate key for blind index",[54,341,342],{},"Handle case sensitivity",[13,344,345],{},"Trade-offs to explain:",[73,347,348,351,354],{},[54,349,350],{},"Blind index reveals if two values are the same",[54,352,353],{},"Deterministic encryption has similar trade-off",[54,355,356],{},"Neither supports partial/fuzzy search",[13,358,359],{},"Show migration for adding blind indexes to existing encrypted data.",[361,362,363],"tip-box",{},[13,364,365,368],{},[278,366,367],{},"Pro tip:"," Consider using a service like CipherStash or Evervault for complex encryption requirements. Building secure encryption is hard, and mistakes can be catastrophic.",[370,371,372,379],"faq-section",{},[373,374,376],"faq-item",{"question":375},"Isn't database-level encryption at rest enough?",[13,377,378],{},"Encryption at rest protects against physical theft of disks. Field-level encryption protects the data itself. Anyone with database access (including compromised backups or SQL injection) sees encrypted values with field-level encryption.",[373,380,382],{"question":381},"Should I encrypt everything?",[13,383,384],{},"No. Encrypt PII, financial data, health info, and secrets. Encrypting everything adds complexity and breaks searching/indexing. Focus on data that would cause harm if leaked.",[17,386,388],{"id":387},"further-reading","Further Reading",[13,390,391],{},"Want to understand the vulnerability before fixing it? These guides explain what's happening and why.",[73,393,394,401,407],{},[54,395,396],{},[397,398,400],"a",{"href":399},"/blog/vulnerabilities/exposed-api-keys","Understanding exposed API keys",[54,402,403],{},[397,404,406],{"href":405},"/blog/how-to/hide-api-keys","How to hide API keys step-by-step",[54,408,409],{},[397,410,412],{"href":411},"/blog/best-practices/secrets","Secret management best practices",[414,415,416,422],"related-articles",{},[417,418],"related-card",{"description":419,"href":420,"title":421},"General encryption patterns","/blog/prompts/encrypt-sensitive-data","Encrypt Sensitive Data",[417,423],{"description":424,"href":425,"title":426},"Protect data in transit","/blog/prompts/secure-database-connection","Secure DB Connection",[428,429,432,436],"cta-box",{"href":430,"label":431},"/","Start Free Scan",[17,433,435],{"id":434},"find-unencrypted-sensitive-data","Find Unencrypted Sensitive Data",[13,437,438],{},"Scan your database schema for fields that should be encrypted.",{"title":440,"searchDepth":441,"depth":441,"links":442},"",2,[443,444,445,446,447,448],{"id":19,"depth":441,"text":20},{"id":109,"depth":441,"text":110},{"id":193,"depth":441,"text":194},{"id":284,"depth":441,"text":285},{"id":387,"depth":441,"text":388},{"id":434,"depth":441,"text":435},"prompts","2026-02-18","2026-03-06","AI prompts to encrypt sensitive database fields. Implement field-level encryption for PII, payment data, and secrets with proper key management.",false,"md",null,"cyan",{},true,"AI prompts to implement field-level database encryption for sensitive data.","/blog/prompts/encrypt-database-fields","[object Object]","BlogPosting",{"title":5,"description":452},{"loc":460},"blog/prompts/encrypt-database-fields",[467],"Critical","summary_large_image","R2y_FFs-eZJXs7fED5Vqtile9PJ3h0hMevseUN7h3U0",1775843938532]