Data Encryption Settings

Back to Articles
General For Super Administrators Security Administration Last updated: June 20, 2025 Version: 1.0

Data Encryption Settings

Learn how the Shifts platform implements encryption to protect sensitive data, how to manage encryption keys, and how to configure encryption settings as a system administrator.

Overview

The Data Encryption Settings in Shifts provide robust protection for sensitive information stored in the database. The platform uses ActiveRecord Encryption to automatically encrypt critical data like API keys, passwords, and personal information before storage and decrypt it only when needed. This article explains how the encryption system works and how to manage it as a system administrator.

Understanding Data Encryption

What Gets Encrypted

The Shifts platform automatically encrypts several types of sensitive data:

  • API Keys: Third-party integration keys (e.g., OpenAI API keys)
  • Authentication Tokens: Access tokens for external services
  • Personal Identifiable Information: When configured, certain user data fields
  • Security Credentials: Various credentials used for system integrations
  • Webhook Secrets: Verification tokens for webhook endpoints

How Encryption Works

The platform uses Rails’ built-in ActiveRecord Encryption with a three-key system:

  1. Primary Key: Used for creating the underlying encryption key
  2. Deterministic Key: Used for searchable encrypted data
  3. Key Derivation Salt: Used to strengthen encryption against brute force attacks

These keys work together to provide a layered encryption approach:

  • Transparent Encryption: Data is automatically encrypted/decrypted as it enters/leaves the database
  • No Performance Impact: The encryption process is optimized for minimal performance overhead
  • Zero Knowledge: Keys are managed separately from the database, ensuring no single breach exposes data

Accessing Encryption Settings

As a system administrator, you can manage encryption settings through:

  1. Navigate to System Admin > Security Administration > Encryption Settings
  2. This page shows the current encryption configuration and key management options
  3. Changes to encryption settings require the highest level of authorization

Key Management

Viewing Current Key Configuration

To view the current encryption key configuration:

  1. Go to System Admin > Security Administration > Encryption Settings
  2. The Current Configuration section shows:
    • Last key rotation date
    • Key strength assessment
    • Encryption algorithm in use
    • Whether deterministic encryption is enabled

Note: For security reasons, the actual keys are never displayed in the interface.

Key Rotation

Rotating encryption keys is a critical security practice:

  1. Navigate to Key Management > Rotate Keys
  2. You’ll be asked to provide:
    • New primary key (or generate one automatically)
    • New deterministic key (or generate one automatically)
    • New key derivation salt (or generate one automatically)
  3. Schedule the rotation during off-peak hours
  4. Confirm the operation with your administrator credentials

The system will:

  • Generate new keys if you chose automatic generation
  • Re-encrypt all data with the new keys
  • Archive the old keys for a configurable period
  • Log the operation in the security audit log

Key Backup and Recovery

Always maintain secure backups of encryption keys:

  1. Go to Key Management > Export Keys
  2. Authenticate with your credentials
  3. Choose your export format (secure file or HSM-compatible)
  4. Store the exported keys in a secure, separate location

To restore keys from backup:

  1. Navigate to Key Management > Import Keys
  2. Select your key backup file
  3. Authenticate the operation
  4. The system will verify the keys before importing

Configuring Encrypted Columns

For super administrators who need to encrypt additional database columns:

  1. This requires both application code changes and configuration updates
  2. Contact technical support for assistance with extending encryption to additional fields
  3. Remember that adding encryption to existing columns requires a migration strategy

Environment-Based Configuration

The platform uses different encryption configurations based on environment:

Development and Testing

For development and testing environments, the system uses:

  • Fixed encryption keys stored in config/encryption_keys.yml
  • Simplified key management for developer convenience
  • Clear warnings against using these keys in production

Production Environment

In production:

  • Keys should be provided through environment variables
  • No keys should be stored in configuration files
  • Key rotation should be performed regularly
  • Hardware Security Modules (HSMs) can be integrated for additional security

Monitoring Encryption Health

Stay informed about your encryption status:

  1. Navigate to System Admin > Security Dashboard
  2. The Data Encryption panel shows:
    • Current encryption status
    • Last key rotation date
    • Number of encrypted columns/records
    • Any pending encryption operations

The system will also notify administrators when:

  • Encryption keys have not been rotated for a configurable period
  • Encryption operations fail or encounter errors
  • Key strength no longer meets current security standards

Best Practices

For optimal encryption security:

  1. Regular Key Rotation: Rotate encryption keys at least quarterly
  2. Secure Key Storage: Store encryption keys separate from the database
  3. Layered Protection: Use HSMs in production when possible
  4. Documentation: Maintain a secure record of key rotation history
  5. Access Control: Limit access to encryption settings to only top administrators
  6. Backup Keys: Always maintain secure backups of encryption keys
  7. Emergency Plan: Have a documented procedure for emergency key rotation

Encryption Implementation Details

Advanced administrators may want to understand:

Currently Encrypted Models and Fields

  • OpenAiConfiguration: api_key field is encrypted with non-deterministic encryption
  • ApiToken: API keys and secrets are encrypted
  • WebhookConfiguration: Webhook secrets are encrypted
  • Other models: Additional fields may be encrypted based on your specific configuration

Encryption Algorithm

The platform uses AES-256-GCM encryption algorithm with:

  • 256-bit encryption strength
  • Authenticated encryption mode (GCM)
  • Unique initialization vectors for each encryption operation

Related Resources

This article should be updated when:

  1. New encrypted fields are added to the system
  2. Encryption algorithms or methods change
  3. Key management interface is updated
  4. New encryption features are added
  5. Best practices for key rotation change
Article ID: data_encryption
Related Articles
Access Control Policies
Learn how to use the access control policies feature in the Shifts platform to optimize your workflow and improve productivity.
Managing Multiple Businesses
Learn how super administrators can configure, maintain, and oversee multiple business organizations within the Shifts platform while maintaining proper data isolation and security.
In This Section
Workflow Automation
Advanced Configuration
System-wide Defaults
Advanced Configuration
Advanced System Customization
Advanced Configuration
Security Overview
Security Administration
Security Audit Logs
Security Administration View All Articles in This Section