Tines Credentials are stored in the database provisioned for your self-hosted Tines tenant. While we recommend ensuring that the PostgreSQL database has encryption at rest and in transit, you can also leverage and ensure encryption at a field level. This ensures that Tines Credentials are persisted with SHA256
encryption using the keys that you provide and are not stored as plain text.
💡Note
Setup
To opt-in your self-hosted installation to take advantage of this feature, you can follow the steps below:
Add the following environment variables to your setup. This is usually the
.env
file if you are on a Docker Compose setup.
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=ABC123
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=ABC123
Replace
ABC123
with unique keys that are 32 bytes in length.Perform a rolling restart of your containers. After this, any new Tines Credential you create will be encrypted at a field level.
To encrypt existing records, run the following from a
tines-app
ortines-sidekiq
container:
bundle exec rake tines:encrypt_models
And that's all you need to do.
Rotating Keys
In case you need to rotate the primary key, you can follow the steps below:
Introduce the new key as a new environment variable:
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY_NEW=ABC123
# Keep the following as is
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=ABC123
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=ABC123
Perform a rolling restart of your containers. After this, any new Tines Credential you create will be encrypted at a field level using the new key, and decryption will be attempted using both the existing and new keys.
Finally, to re-encrypt existing records, run the following from a
tines-app
ortines-sidekiq
container:
bundle exec rake tines:encrypt_models
Once done, you can now replace the contents of
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
withACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY_NEW
and dropACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY_NEW
altogether from your environment store.
And that's all you need to do to rotate the primary key.