[{"data":1,"prerenderedAt":391},["ShallowReactive",2],{"blog-prompts/encrypt-sensitive-data":3},{"id":4,"title":5,"body":6,"category":370,"date":371,"dateModified":372,"description":373,"draft":374,"extension":375,"faq":376,"featured":374,"headerVariant":377,"image":376,"keywords":376,"meta":378,"navigation":379,"ogDescription":380,"ogTitle":376,"path":381,"readTime":376,"schemaOrg":382,"schemaType":383,"seo":384,"sitemap":385,"stem":386,"tags":387,"twitterCard":389,"__hash__":390},"blog/blog/prompts/encrypt-sensitive-data.md","Encrypt Sensitive Data with AI Prompts",{"type":7,"value":8,"toc":361},"minimark",[9,16,21,24,84,88,111,167,171,174,220,230,234,237,299,308,330,349],[10,11,12],"tldr",{},[13,14,15],"p",{},"These prompts help you implement proper encryption for sensitive data in your application. They cover encrypting data at rest in databases, securing data in transit, managing encryption keys properly, and choosing the right encryption algorithms for your use case.",[17,18,20],"h2",{"id":19},"application-level-encryption","Application-Level Encryption",[13,22,23],{},"Use this prompt to add AES-256-GCM encryption for sensitive database fields in your application. Your AI will generate encrypt/decrypt utility functions, ORM integration for automatic encryption on save and decryption on read, and a migration plan for existing unencrypted data.",[25,26,28,31,38,41,60,63,81],"prompt-box",{"title":27},"Encrypt Database Fields",[13,29,30],{},"Add encryption for sensitive database fields in my application.",[13,32,33,34],{},"Fields to encrypt: ",[35,36,37],"span",{},"list your sensitive fields, e.g., SSN, credit card, personal notes",[13,39,40],{},"Requirements:",[42,43,44,48,51,54,57],"ol",{},[45,46,47],"li",{},"Use AES-256-GCM for encryption (authenticated encryption)",[45,49,50],{},"Store encryption keys in environment variables, not in code",[45,52,53],{},"Create encrypt/decrypt utility functions",[45,55,56],{},"Handle the key properly (never log it, use secure memory)",[45,58,59],{},"Include IV (initialization vector) with each encrypted value",[13,61,62],{},"Implementation should:",[64,65,66,69,72,75,78],"ul",{},[45,67,68],{},"Encrypt before saving to database",[45,70,71],{},"Decrypt when reading from database",[45,73,74],{},"Work with my ORM (Prisma/Drizzle/Mongoose)",[45,76,77],{},"Handle migration of existing unencrypted data",[45,79,80],{},"Allow key rotation in the future",[13,82,83],{},"Also explain how to store the encrypted data (base64, hex, binary).",[17,85,87],{"id":86},"nodejs-encryption","Node.js Encryption",[13,89,90,91,95,96,99,100,99,103,106,107,110],{},"Copy this prompt to generate a complete encryption utility using Node.js's built-in ",[92,93,94],"code",{},"crypto"," module. You'll get ",[92,97,98],{},"encrypt",", ",[92,101,102],{},"decrypt",[92,104,105],{},"generateKey",", and ",[92,108,109],{},"deriveKey"," functions with AES-256-GCM, authentication tags, random IVs, and a key rotation helper -- all with TypeScript types.",[25,112,114,117,120,134,136,153,156],{"title":113},"Node.js Crypto Implementation",[13,115,116],{},"Create a secure encryption utility for Node.js using the built-in crypto module.",[13,118,119],{},"Create functions for:",[42,121,122,125,128,131],{},[45,123,124],{},"encrypt(plaintext, key) - returns encrypted string with IV",[45,126,127],{},"decrypt(ciphertext, key) - returns original plaintext",[45,129,130],{},"generateKey() - creates a secure encryption key",[45,132,133],{},"deriveKey(password, salt) - derives key from password",[13,135,40],{},[64,137,138,141,144,147,150],{},[45,139,140],{},"Use AES-256-GCM (authenticated encryption)",[45,142,143],{},"Include authentication tag to prevent tampering",[45,145,146],{},"Generate random IV for each encryption",[45,148,149],{},"Return format: base64(iv + authTag + ciphertext)",[45,151,152],{},"TypeScript types for all functions",[13,154,155],{},"Also create:",[64,157,158,161,164],{},[45,159,160],{},"Key rotation helper (re-encrypt with new key)",[45,162,163],{},"Secure comparison function for encrypted values",[45,165,166],{},"Error handling for decryption failures (don't leak info)",[17,168,170],{"id":169},"encrypt-api-payloads","Encrypt API Payloads",[13,172,173],{},"This prompt asks your AI to add an application-level encryption layer on top of HTTPS for highly sensitive API payloads. You'll get client-side encryption before sending, server-side decryption middleware, request signing to prevent tampering, and key exchange configuration.",[25,175,177,180,183,186,200,203,217],{"title":176},"Encrypt API Communication",[13,178,179],{},"Add encryption layer for sensitive API payloads beyond HTTPS.",[13,181,182],{},"Use case: Extra protection for highly sensitive data (health records, financial data)",[13,184,185],{},"Implement:",[42,187,188,191,194,197],{},[45,189,190],{},"Client-side encryption before sending to API",[45,192,193],{},"Server-side decryption on receipt",[45,195,196],{},"Key exchange mechanism (or use pre-shared keys)",[45,198,199],{},"Request signing to prevent tampering",[13,201,202],{},"Create:",[64,204,205,208,211,214],{},[45,206,207],{},"Client utility (JavaScript/TypeScript)",[45,209,210],{},"Server middleware to decrypt incoming requests",[45,212,213],{},"Response encryption for sensitive return data",[45,215,216],{},"Key management approach",[13,218,219],{},"This is for defense in depth, not replacing HTTPS.",[221,222,223],"warning-box",{},[13,224,225,229],{},[226,227,228],"strong",{},"Never roll your own crypto:"," Use well-tested libraries and standard algorithms (AES-256-GCM, ChaCha20-Poly1305). Don't invent encryption schemes, don't use ECB mode, and don't use MD5/SHA1 for security purposes.",[17,231,233],{"id":232},"key-management","Key Management",[13,235,236],{},"Use this prompt to set up encryption key management scaled to your team size. Your AI will recommend the right approach (environment variables, AWS KMS, or HashiCorp Vault), create a key rotation procedure with zero downtime, and build a backup and recovery plan with access controls.",[25,238,240,243,246,260,263,277,283,285],{"title":239},"Encryption Key Management",[13,241,242],{},"Set up proper encryption key management for my application.",[13,244,245],{},"I need:",[42,247,248,251,254,257],{},[45,249,250],{},"Secure key storage (not in code or config files)",[45,252,253],{},"Key rotation strategy without downtime",[45,255,256],{},"Different keys for different data types",[45,258,259],{},"Audit logging of key usage",[13,261,262],{},"Options to consider:",[64,264,265,268,271,274],{},[45,266,267],{},"Environment variables (basic)",[45,269,270],{},"AWS KMS / Google Cloud KMS / Azure Key Vault",[45,272,273],{},"HashiCorp Vault",[45,275,276],{},"Encrypted key file with master password",[13,278,279,280],{},"For my scale: ",[35,281,282],{},"describe - startup/small/enterprise",[13,284,202],{},[64,286,287,290,293,296],{},[45,288,289],{},"Key storage implementation",[45,291,292],{},"Key rotation procedure",[45,294,295],{},"Backup and recovery plan",[45,297,298],{},"Access control for keys",[300,301,302],"tip-box",{},[13,303,304,307],{},[226,305,306],{},"Pro tip:"," Consider using envelope encryption for large datasets. Encrypt the data with a data key, then encrypt the data key with a master key. This makes key rotation much faster since you only re-encrypt the small data key.",[309,310,311,318,324],"faq-section",{},[312,313,315],"faq-item",{"question":314},"Should I encrypt all data in my database?",[13,316,317],{},"No. Encrypt sensitive personal data (SSN, health info, financial details). Encrypting everything adds complexity and can hurt performance and searchability. Most databases offer transparent data encryption (TDE) for general protection.",[312,319,321],{"question":320},"What's the difference between encryption and hashing?",[13,322,323],{},"Encryption is reversible (you can decrypt). Hashing is one-way (you can't get the original back). Use encryption for data you need to read later. Use hashing for passwords and data you only need to verify.",[312,325,327],{"question":326},"Is HTTPS enough for data in transit?",[13,328,329],{},"For most applications, yes. Add application-level encryption only for highly sensitive data where you need defense in depth, or when data passes through systems you don't fully trust.",[331,332,333,339,344],"related-articles",{},[334,335],"related-card",{"description":336,"href":337,"title":338},"Secure your credentials","/blog/prompts/fix-exposed-api-keys","Fix Exposed API Keys",[334,340],{"description":341,"href":342,"title":343},"Secure password storage","/blog/prompts/add-password-hashing","Add Password Hashing",[334,345],{"description":346,"href":347,"title":348},"Protect data in transit","/blog/prompts/secure-database-connection","Secure Database Connection",[350,351,354,358],"cta-box",{"href":352,"label":353},"/","Start Free Scan",[17,355,357],{"id":356},"check-your-data-protection","Check Your Data Protection",[13,359,360],{},"Scan your application for unencrypted sensitive data.",{"title":362,"searchDepth":363,"depth":363,"links":364},"",2,[365,366,367,368,369],{"id":19,"depth":363,"text":20},{"id":86,"depth":363,"text":87},{"id":169,"depth":363,"text":170},{"id":232,"depth":363,"text":233},{"id":356,"depth":363,"text":357},"prompts","2026-02-16","2026-03-06","AI prompts to implement data encryption in your application. Encrypt data at rest, in transit, and handle encryption keys securely.",false,"md",null,"cyan",{},true,"AI prompts to implement data encryption in your application.","/blog/prompts/encrypt-sensitive-data","[object Object]","BlogPosting",{"title":5,"description":373},{"loc":381},"blog/prompts/encrypt-sensitive-data",[388],"Encryption","summary_large_image","nesmJjEkvymaPIAIabBjNQroG3BzMlFykoC081J4mn0",1775843938801]