OpenClaw LaunchOpenClaw Launch
🔏

Data Encryption Guide

Verified

by Community

Guides implementation of encryption for data at rest and in transit, covering algorithm selection, key management, storage encryption, and common implementation mistakes.

securityencryptioncryptographydata-protectionAESkey-management

Data Encryption Guide

Implement data encryption correctly for data at rest and in transit. Covers algorithm selection, key management, storage encryption, and the common mistakes that silently break encryption security.

Usage

Describe what data you need to encrypt, where it's stored, and your platform. The guide provides specific implementation guidance with algorithm choices, key management strategies, and code patterns.

Parameters

  • Data type: Database fields, Files/documents, Backups, or Communications
  • State: At rest, In transit, or Both
  • Platform: Node.js, Python, Java, Go, or Cloud-managed (AWS KMS, Azure Key Vault)
  • Compliance: HIPAA, PCI DSS, SOC 2, or General best practice

Examples

  1. Database Field Encryption: Encrypt PII fields in PostgreSQL — application-level AES-256-GCM encryption vs. column-level pgcrypto, with key rotation procedures and search implications.
  1. File Encryption at Rest: Implement envelope encryption for uploaded documents — file encrypted with data key, data key encrypted with master key, stored alongside encrypted file metadata.
  1. End-to-End Encryption: Design E2EE messaging — key exchange (X25519), message encryption (AES-256-GCM), key ratcheting, and device key management without server access to plaintext.
  1. Cloud KMS Integration: Set up AWS KMS for application encryption — CMK creation, key policies, envelope encryption pattern, and automatic key rotation configuration.

Guidelines

  • Algorithm recommendations: AES-256-GCM for symmetric, RSA-OAEP or X25519 for asymmetric
  • IV/nonce generation uses cryptographically secure random sources, never repeated with same key
  • Key management is the hardest part — stored separately from encrypted data, rotated on schedule
  • Envelope encryption pattern protects data keys with master keys for scalable key management
  • Authentication is required alongside encryption (GCM mode, or encrypt-then-MAC)
  • Key derivation from passwords uses Argon2id or PBKDF2 with high iteration counts
  • Encrypted data is stored as base64 with a version prefix for future algorithm migration
  • Key rotation procedures re-encrypt data without downtime using versioned keys
  • Common mistakes are highlighted: ECB mode, static IVs, key in source code, MD5 for hashing
  • Performance implications are measured: encryption overhead, searchability impact, backup sizes

More Security Skills

shield
1Claw

HSM-backed vault for agent secrets; store, rotate, share securely.

shield
1Password

Set up and use 1Password CLI (op).

shield
Auditing Appstore Readiness

Audit an iOS app repo.

shield
Authensor Gateway

Fail-safe policy gate for OpenClaw marketplace skills.