Skip to content

AES-GCM encryption (CRYPTO_REPLACE). The encryption key is read from an

Source: 20-crypto-encryption.phisql

PhiSQL

-- AES-GCM encryption (CRYPTO_REPLACE). The encryption key is read from an
-- environment variable at runtime via CONFIGURE ... FROM ENV, so the secret is
-- never stored in the policy. Compiles to 20-crypto-encryption.json.

POLICY crypto_encryption;

CONFIGURE CRYPTO KEY FROM ENV 'CRYPTO_KEY';

REDACT CREDIT_CARD WITH ENCRYPT;

Compiles to

{
  "identifiers": {
    "creditCard": {
      "creditCardFilterStrategies": [
        { "strategy": "CRYPTO_REPLACE" }
      ]
    }
  },
  "crypto": {
    "key": "env:CRYPTO_KEY"
  }
}