Why Encryption Matters
Storing tokens in plaintext is a major security risk. Swiftgum uses an encryption key to scramble all sensitive fields, preventing unauthorized use or exposure.
1. Encryption at Rest
1. Encryption at Rest
Implementation DetailsMaster Encryption Key
- Configured via
ENCRYPTION_KEY(or a secrets manager if self-hosted). - Used to encrypt/decrypt fields such as encrypted_tokenset and encrypted_credentials.
- We default to strong ciphers (AES-256-GCM or AES-256-CBC) to ensure secure encryption.
- A unique Initialization Vector (IV) is generated for each record.
- Depending on your deployment, encrypted fields may live in Postgres or a dedicated vault.
- No plaintext secrets are written to logs or public console output.
Strong Cipher
AES-256-GCM / AES-256-CBC ensures robust encryption.
Unique IV
Each record gets its own initialization vector.
2. Transport Security (TLS)
2. Transport Security (TLS)
All Swiftgum endpoints must be accessed via HTTPS. This ensures that data in transit (including tokens) isn’t exposed to eavesdroppers or man-in-the-middle attacks.
- Custom SSL: For self-hosted setups, add an SSL certificate to your server or load balancer.
- Cloud: Swiftgum Cloud enforces TLS by default.
3. Managing Keys & Rotation
3. Managing Keys & Rotation
Key Generation
- Use a strong, randomly generated string for your
ENCRYPTION_KEY. - Avoid guessable passphrases or storing the key in source control.
- Periodically rotate your encryption key.
- Swiftgum provides a tool/CLI to re-encrypt existing records with a new key.
- Warning: Ensure you have backups and a tested rotation process to avoid data loss.
4. Access Controls
4. Access Controls
- Admin-Only: Only administrators can configure or rotate encryption keys.
- Zero-Knowledge: The raw key is never displayed in the admin UI or logs.
5. Audit & Compliance
5. Audit & Compliance
- Encryption Logs: When specific fields are decrypted or re-encrypted, an event is recorded.
- Compliance: Strong encryption supports compliance with GDPR, HIPAA, and SOC 2 data security requirements.