Data Encryption
AES-256-GCM encryption for sensitive data at rest, field-level encryption with Prisma, password hashing, and envelope encryption patterns.
What's Included#
- AES-256-GCM symmetric encryption and decryption with salt and IV
- Password hashing with bcrypt (configurable salt rounds)
- Field-level encryption helpers for sensitive database columns (SSN, bank accounts)
- Prisma middleware for automatic encrypt-on-write and decrypt-on-read
- Envelope encryption (per-record data keys encrypted by a master key)
- Client-side encryption using the Web Crypto API (PBKDF2 + AES-GCM)
Usage#
Via CLI#
Loading code block...
Via AI Assistant#
Ask your AI assistant:
- "Use the data encryption pattern from Bootspring"
- "Apply the Bootspring encryption pattern to my project"
Key Considerations#
- Never roll your own cryptography; use established libraries and algorithms
- Always use authenticated encryption (GCM mode) which provides both confidentiality and integrity
- Use unique IVs/nonces for every encryption operation
- Hash passwords with bcrypt rather than encrypting them; passwords should be one-way
- Separate encryption keys by data type and rotate them regularly
- Store encryption keys in secure vaults, not in application code
Related Patterns#
- Secrets Management - Manage encryption keys
- Audit Logging - Track data access
- Input Validation - Validate before encrypting
- Session Management - Secure sessions