Turning on database field level encryption

Tines Credentials are stored in the database provisioned for your self-hosted Tines tenant. While we recommend ensuring that the PostgreSQL database has encryption at rest and in transit, you can also leverage and ensure encryption at a field level. This ensures that Tines Credentials are persisted with SHA256 encryption using the keys that you provide and are not stored as plain text.

💡Note

Setup 

To opt-in your self-hosted installation to take advantage of this feature, you can follow the steps below:

  • Add the following environment variables to your setup. This is usually the .env file if you are on a Docker Compose setup.

ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=ABC123
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=ABC123
  • Replace ABC123 with unique keys that are 32 bytes in length.

  • Perform a rolling restart of your containers. After this, any new Tines Credential you create will be encrypted at a field level.

  • To encrypt existing records, run the following from a tines-app or tines-sidekiq container:

bundle exec rake tines:encrypt_models

And that's all you need to do.

Rotating Keys 

In case you need to rotate the primary key, you can follow the steps below:

  • Introduce the new key as a new environment variable:

ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY_NEW=ABC123

# Keep the following as is
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=ABC123
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=ABC123
  • Perform a rolling restart of your containers. After this, any new Tines Credential you create will be encrypted at a field level using the new key, and decryption will be attempted using both the existing and new keys.

  • Finally, to re-encrypt existing records, run the following from a tines-app or tines-sidekiq container:

bundle exec rake tines:encrypt_models
  • Once done, you can now replace the contents of ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY with ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY_NEW and drop ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY_NEW altogether from your environment store.

And that's all you need to do to rotate the primary key.

Was this helpful?