Skip to content
Checkstack

Setting Up Secret Encryption

Checkstack automatically encrypts sensitive configuration data (like OAuth client secrets, API keys, database passwords) using AES-256-GCM encryption before storing them in the database.

Required Setup

Section titled “Required Setup”

You must set an ENCRYPTION_MASTER_KEY environment variable before using any features that store secrets.

Generate a New Key

Section titled “Generate a New Key”
Terminal window
# Generate a secure random 32-byte key
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"

Add to .env

Section titled “Add to .env”

Copy the generated key and add it to your .env file:

Terminal window
ENCRYPTION_MASTER_KEY=<your-generated-key-here>

IMPORTANT:

  • The key MUST be exactly 64 hexadecimal characters (32 bytes)
  • Do NOT commit this key to version control
  • Use different keys for development, staging, and production
  • Keep this key secure - if you lose it, encrypted secrets cannot be recovered

What Gets Encrypted?

Section titled “What Gets Encrypted?”

Any configuration field marked with configString({ "x-secret": true }) in the Zod schema will be automatically encrypted, including:

  • OAuth client secrets (GitHub, Google, etc.)
  • API keys and tokens
  • Database passwords in connection strings
  • SMTP passwords
  • Any other sensitive credentials

How It Works

Section titled “How It Works”
  1. On Save: Secrets are automatically encrypted before being stored in the database
  2. On Load: Secrets are automatically decrypted when retrieved for use
  3. For Frontend: Secrets are redacted (completely removed) before being sent to the frontend

Security Features

Section titled “Security Features”
  • AES-256-GCM encryption (authenticated encryption)
  • Unique IV per encryption (prevents pattern analysis)
  • Authentication tag verification (detects tampering)
  • Automatic encryption/decryption (transparent to application code)
  • Secrets never exposed to frontend (redacted before sending)

Troubleshooting

Section titled “Troubleshooting”

Error: “ENCRYPTION_MASTER_KEY environment variable is required”

  • You haven’t set the ENCRYPTION_MASTER_KEY in your .env file
  • Solution: Generate a key and add it to .env as shown above

Error: “ENCRYPTION_MASTER_KEY must be 32 bytes (64 hex characters)”

  • Your key is not the correct length
  • Solution: Generate a new key using the command above (it will be the correct length)

Key Rotation

Section titled “Key Rotation”

If you need to rotate your encryption key:

  1. Generate a new key
  2. Decrypt all secrets with the old key
  3. Update ENCRYPTION_MASTER_KEY with the new key
  4. Re-encrypt all secrets with the new key

Note: There is currently no automated key rotation tool. This is a manual process.

Checkstack · Component library · Elastic-2.0