Field-level encryption

Definition

With field-level encryption, individual attributes (for example name, email address, phone number) are encrypted before being written to the database and decrypted only after they are read. The key is typically held outside the database, in a KMS or in a separately managed secret-management component. This approach complements disk- and transport-level encryption and reduces the risk that a compromised database account exposes personal data in the clear.

How Swiss Knowledge Hub uses this term

Swiss Knowledge Hub uses @47ng/cloak (AES-GCM-256) for selected fields — in particular user name, user email, LLM API keys, and integration connection strings. This is not full-disk encryption and does not cover every content field; document content is protected at the storage layer.

Related terms

• BYOK (Bring Your Own Key)
• Zero trust
• Audit log
• Compliance frameworks (ISO 27001, SOC 2)

Sources

1. OWASP — Cryptographic Storage Cheat Sheet — https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html