rspace-online

History

Jeff Emmett 9695e9577a feat(encryptid): encrypt all PII at rest in database AES-256-GCM encryption for 18 PII fields across 6 tables (users, guardians, identity_invites, space_invites, notifications, fund_claims). HMAC-SHA256 hash indexes for email/UP address lookups. Keys derived from JWT_SECRET via HKDF with dedicated salts. Dual-write to both plaintext and _enc columns during transition; row mappers decrypt with plaintext fallback. Includes idempotent backfill migration script. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-23 16:50:21 -07:00
..
encrypt-pii.ts	feat(encryptid): encrypt all PII at rest in database	2026-03-23 16:50:21 -07:00

Jeff Emmett 9695e9577a feat(encryptid): encrypt all PII at rest in database

AES-256-GCM encryption for 18 PII fields across 6 tables (users,
guardians, identity_invites, space_invites, notifications, fund_claims).
HMAC-SHA256 hash indexes for email/UP address lookups. Keys derived from
JWT_SECRET via HKDF with dedicated salts. Dual-write to both plaintext
and _enc columns during transition; row mappers decrypt with plaintext
fallback. Includes idempotent backfill migration script.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-23 16:50:21 -07:00

encrypt-pii.ts

feat(encryptid): encrypt all PII at rest in database

2026-03-23 16:50:21 -07:00