---
title: Database field-level encryption
url: https://www.tines.com/docs/self-hosted/configuring-tines/database-field-level-encryption/
updated: 2026-05-08T13:34:30+00:00
---

*[tines.com](https://www.tines.com/llms.txt) › [Docs](https://www.tines.com/llms.txt) › [Self-Hosted](https://www.tines.com/llm/docs/self-hosted.md) › [Configuring Tines](https://www.tines.com/llm/docs/self-hosted/configuring-tines.md)*

# Database field-level encryption

*[View on tines.com](https://www.tines.com/docs/self-hosted/configuring-tines/database-field-level-encryption/)*

[Tines Credentials](https://www.tines.com/docs/credentials/) are stored in the database provisioned for your self-hosted Tines tenant. While we recommend ensuring that the PostgreSQL database has encryption at rest and in transit, you can also leverage and ensure encryption at a field level. This ensures that Tines Credentials are persisted with `AES-256` encryption using the keys that you provide and are not stored as plain text.

## Setup

To opt-in your self-hosted installation to take advantage of this feature, you can follow the steps below:

- Add the following environment variables to your setup. This is usually the `.env` file if you are on a Docker Compose setup.

```
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=ABC123
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=ABC123
```

- Replace `ABC123` with unique keys that are 32 bytes in length.
- Perform a rolling restart of your containers. After this, any new Tines Credential you create will be encrypted at a field level.
- To encrypt existing records, run the following from a `tines-app` or `tines-sidekiq` container:

```bash
bundle exec rake tines:encrypt_models
```

And that's all you need to do.

> **WARNING:** Once these values are set in the .env file, they cannot be changed. To rotate keys, see the instructions in the next section.

## Rotating Keys

In case you need to rotate the primary key, you can follow the steps below:

- Introduce the new key as a new environment variable:

```
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY_NEW=ABC123

# Keep the following as is
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=ABC123
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=ABC123
```

- Perform a rolling restart of your containers. After this, any new Tines Credential you create will be encrypted at a field level using the new key, and decryption will be attempted using both the existing and new keys.
- Finally, to re-encrypt existing records, run the following from a `tines-app` or `tines-sidekiq` container:

```bash
bundle exec rake tines:encrypt_models
```

- Once done, you can now replace the contents of `ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY` with `ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY_NEW `and drop `ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY_NEW` altogether from your environment store.



And that's all you need to do to rotate the primary key.