Encryption

Sensitive Data Encryption — Module Design and Migration Retrospective

A retrospective on column-level encryption of sensitive data in a running service. Envelope encryption, DEK granularity decisions, the WHERE clause constraint that led to HMAC, and the migration automation Skill that spread the work across the org.

Dable
Project
Security
Encryption
Compliance
Retrospective

Envelope Encryption

How the CMK/DEK two-tier key structure in envelope encryption limits key leak impact and simplifies key rotation.

Encryption
Aes-256
Envelope-Encryption
Key-Management