Encryption & Secret Management
Authenticated encryption for sensitive fields and provider secrets, key separation from database credentials, and rotation-ready architecture.
AES-256-GCM, unique IVs, signed tags.
Sensitive Data Encryption
The product architecture describes encryption for database fields designated as PII. A Prisma data-layer extension can intercept writes and encrypt protected values before the SQL operation is completed.
This helps reduce exposure if an attacker obtains database contents without also obtaining the required decryption key.
Authenticated Secret Encryption
Provider secrets can be encrypted with AES-256-GCM, which provides confidentiality and integrity verification. Each encrypted value should use:
- —A unique initialization vector
- —An authentication tag
- —A dedicated encryption key
- —Versioned metadata to support rotation and algorithm changes
- —Restricted server-side decryption paths
Secrets Covered
- —OpenAI API keys
- —Groq API keys
- —Google Gemini credentials
- —SMTP or ZeptoMail credentials
- —Widget server-side secrets
- —Webhook signing secrets
- —SSO configuration secrets
- —Other customer-provided integration credentials
Key Separation
A dedicated SECRETS_ENCRYPTION_KEY should be isolated from database usernames, passwords, and connection strings. Database access alone should not be sufficient to decrypt stored provider credentials.
Production key material should be supplied through a protected secrets manager or environment mechanism, not committed to source control.
Secret Rotation Readiness
- —Key version identification
- —Controlled re-encryption of existing secrets
- —Rollback planning
- —Audit logging
- —Staged provider credential replacement
- —Validation that old keys are revoked
- —Restricted access to the rotation process
Encryption in Transit
Application, widget, SMTP, webhook, and provider communications should use TLS. Secure SMTP should validate provider certificates, and production deployments should avoid disabling certificate verification.
Encryption Limitations
Encryption does not replace authorization, tenant isolation, logging, backups, endpoint security, or retention controls. Data is decrypted when authorized workflows need to use it, so access paths must remain tightly controlled.
Frequently asked questions
Are LLM API keys stored in plain text?+
The mapped architecture specifies encrypted storage for provider keys rather than plain-text persistence.
Why use AES-256-GCM?+
AES-256-GCM provides encryption and an authentication tag that helps detect unauthorized modification of the encrypted value.
Is the encryption key stored in the same database?+
The recommended architecture separates the secrets encryption key from primary database credentials and database content.
Can encrypted secrets be rotated?+
The design is rotation-ready, but a documented versioning, re-encryption, revocation, and audit process is required for safe operation.
Evaluate Rumbe AI for your environment.
Vovance Inc. can discuss Rumbe AI’s architecture, available controls, deployment assumptions, and contractual options for your use case.