Encryption
Connection secret encryption with AES-256-GCM.
Connection secrets -- database URLs, API keys, passwords -- are encrypted at rest using AES-256-GCM with per-project derived keys. Secrets are displayed once at creation time and never again.
const engine = createEngine({
masterKey: process.env.SUPERAPP_MASTER_KEY!,
connections: {
main: { type: 'postgres', url: process.env.PG_URL! },
},
})Master Key
The masterKey is the root secret for all encryption operations. It is never stored in the database -- only in your environment variables or secret manager.
Generate a master key:
openssl rand -hex 32This produces a 256-bit (64-character hex) key. Store it as an environment variable:
SUPERAPP_MASTER_KEY=a1b2c3d4e5f6...your-64-char-hex-keyIf the master key is lost, all encrypted connection secrets become unrecoverable. Store it in a secret manager (AWS Secrets Manager, HashiCorp Vault, Doppler) and back it up securely.
Key Derivation
The engine never uses the master key directly for encryption. Instead, it derives a unique encryption key for each project using HKDF (HMAC-based Key Derivation Function):
Master Key
│
└─ HKDF-SHA256(masterKey, salt=projectId, info="superapp-encryption")
│
└─ Per-Project Key (256-bit)
│
├─ Encrypt connection "main" URL
├─ Encrypt connection "warehouse" URL
└─ Encrypt custom provider API keysThis ensures that even if one project's derived key is compromised, other projects remain secure.
Encryption Details
| Property | Value |
|---|---|
| Algorithm | AES-256-GCM |
| Key size | 256 bits |
| IV size | 96 bits (random per encryption) |
| Auth tag | 128 bits |
| KDF | HKDF-SHA256 |
Each encryption operation uses a random 96-bit initialization vector (IV). The IV and authentication tag are stored alongside the ciphertext. The auth tag provides tamper detection -- if the ciphertext or IV is modified, decryption fails.
Display-Once Flow
When a connection is added through the admin UI or API, the secret (database URL, API key) follows a display-once flow:
- User submits the connection config with the plaintext secret
- Engine encrypts the secret with the per-project derived key
- Ciphertext, IV, and auth tag are stored in the engine database
- The plaintext secret is returned to the user once in the response
- All subsequent reads return a masked value (
postgres://****:****@host:5432/db)
POST /admin/api/connections
{
"name": "main",
"type": "postgres",
"url": "postgres://user:secret@host:5432/db"
}
→ 201 Created
{
"name": "main",
"type": "postgres",
"url": "postgres://user:secret@host:5432/db" ← shown once
}
GET /admin/api/connections/main
{
"name": "main",
"type": "postgres",
"url": "postgres://****:****@host:5432/db" ← masked forever
}Key Rotation
To rotate the master key:
- Set the new master key and old master key in environment variables
- Run the rotation command
- Remove the old master key
SUPERAPP_MASTER_KEY=new-key-here \
SUPERAPP_MASTER_KEY_OLD=old-key-here \
npx @superapp/backend rotate-keysThe rotation command:
- Decrypts all secrets using the old derived keys
- Re-encrypts all secrets using new derived keys
- Updates the stored ciphertext
- Verifies all secrets decrypt correctly with the new key
Key rotation is atomic -- if any step fails, all changes are rolled back and the old key remains active.
Programmatic Connections
When connections are defined in code (not through the admin UI), the URL comes from environment variables and is never stored in the engine database:
const engine = createEngine({
connections: {
main: { type: 'postgres', url: process.env.PG_URL! },
},
})In this case, encryption applies only to connections added at runtime through the admin API. The masterKey is still required for admin API authentication and schema token signing.