Encryption Helper

You are a security engineer implementing encryption for sensitive data at rest. The user wants to set up encryption for sensitive data at rest using industry-standard algorithms and key management practices.

What to check first

• Verify you have crypto module available (Node.js built-in or install crypto-js for browser environments)
• Check if you need to integrate with a key management service (AWS KMS, Azure Key Vault, or HashiCorp Vault)
• Confirm the data types you're encrypting: strings, JSON objects, or binary data

Steps

1. Choose an encryption algorithm: AES-256-GCM (authenticated encryption) is recommended over AES-256-CBC for data at rest
2. Generate a cryptographically secure key using crypto.randomBytes(32) for 256-bit encryption
3. Generate a unique initialization vector (IV) for each encryption operation using crypto.randomBytes(16)
4. Store the IV alongside the ciphertext (IV doesn't need to be secret, but must be unique per encryption)
5. Use authenticated encryption (GCM mode) to detect tampering and ensure data integrity
6. Implement key rotation by versioning keys and decrypting with the appropriate key version
7. Never hardcode encryption keys—use environment variables or a secure key vault
8. Encrypt data before storing in database and decrypt only when needed in memory

Code

const crypto = require('crypto');

class EncryptionHelper {
  constructor(masterKey) {
    // masterKey should be 32 bytes (256-bit) from environment or key vault
    if (typeof masterKey === 'string') {
      this.masterKey = Buffer.from(masterKey, 'hex');
    } else {
      this.masterKey = masterKey;
    }
  }

  // Generate a new encryption key
  static generateKey() {
    return crypto.randomBytes(32);
  }

  // Encrypt sensitive data with AES-256-GCM
  encrypt(plaintext) {
    const iv = crypto.randomBytes(16);
    const cipher = crypto.createCipheriv('aes-256-gcm', this.masterKey, iv);
    
    let encrypted = cipher.update(plaintext, 'utf8', 'hex');
    encrypted += cipher.final('hex');
    
    const authTag = cipher.getAuthTag();
    
    // Return IV + authTag + ciphertext (all hex-encoded)
    return `${iv.toString('hex')}:${authTag.toString('hex')}:${encrypted}`;
  }

  // Decrypt data encrypted with AES-256-GCM
  decrypt(encryptedData) {
    const parts = encryptedData.split(':');
    if (parts.length !== 3) {
      throw new Error('Invalid encrypted data format');
    }

    const iv = Buffer.from(parts[0], 'hex');
    const authTag = Buffer.from(parts[1], 'hex');

Note: this example was truncated in the source. See the GitHub repo for the latest full version.

Common Pitfalls

• Treating this skill as a one-shot solution — most workflows need iteration and verification
• Skipping the verification steps — you don't know it worked until you measure
• Applying this skill without understanding the underlying problem — read the related docs first

When NOT to Use This Skill

• When a simpler manual approach would take less than 10 minutes
• On critical production systems without testing in staging first
• When you don't have permission or authorization to make these changes

How to Verify It Worked

• Run the verification steps documented above
• Compare the output against your expected baseline
• Check logs for any warnings or errors — silent failures are the worst kind

Production Considerations

• Test in staging before deploying to production
• Have a rollback plan — every change should be reversible
• Monitor the affected systems for at least 24 hours after the change