Skip to main content
Anima encrypts sensitive data at the field level before it ever reaches the database. Your secrets, credentials, and webhook secrets are protected using AES-256-GCM with per-organization key isolation.

What gets encrypted

Anima encrypts these fields at rest:
  • API keys
  • Webhook secrets
  • Email provider credentials
Sensitive values are encrypted individually at the field level, not at the row or table level. This means your application retains fine-grained access control while the underlying storage never holds plaintext secrets.

Encryption model

Anima uses AES-256-GCM for all field-level encryption. This algorithm provides both confidentiality and authenticated integrity — meaning any tampering with a ciphertext is detectable on decryption. Each encrypted field stores:
  • The ciphertext
  • The initialization vector (IV)
  • The authentication tag
  • The key version used to encrypt it

Envelope encryption

Anima separates key encryption from data encryption using a two-layer envelope model. 
1. Create org DEK (data encryption key)
2. Wrap DEK with KEK (stored in KMS/HSM boundary)
3. Encrypt secret field with org DEK (AES-256-GCM)
4. Persist ciphertext + iv + authTag + keyVersion
5. On read, unwrap DEK and decrypt if access policy allows
  • DEK (Data Encryption Key) — Used to encrypt your actual secret fields. One DEK per organization.
  • KEK (Key Encryption Key) — Wraps the DEK and is managed within a KMS/HSM boundary. The KEK never touches application memory directly.
This separation means that even if application storage were exposed, the data would be unreadable without the KEK.
Each organization has its own isolated encryption context. Your DEK is never shared with or accessible to other organizations.

Key rotation

Anima supports versioned key rotation. When you rotate to new key material, existing encrypted records continue to decrypt using their stored key version until they are migrated forward.
Rotation is non-breaking: reads support all legacy key versions until migration is complete. You can rotate keys without taking your integration offline.

What this means for you

  • You do not need to manage encryption keys directly — Anima handles the full key lifecycle.
  • Decrypted secrets are never logged or returned in client-side responses.
  • Authenticated encryption ensures that any corruption or tampering is caught at read time.
Never log decrypted secrets in your own application code, and never render plaintext credentials in client-side UI. Anima encrypts data on its side, but your application is responsible for handling decrypted values safely once they are returned.