fernet-encryption-for-data-source-credentials
Data source credentials (Snowflake username, password, account, warehouse) are encrypted with Fernet (symmetric AES-128-CBC) before storage in Postgres. The encryption key is pulled from RSAME_ENCRYPTION_KEY env var (must be a URL-safe base64-encoded 32-byte key). The shared EncryptionService lives in packages/db/ so both the API and worker processes share the same encrypt/decrypt logic without duplication.
Related
- r-same-m2-data-sources-m3-query-engine-foundation
- vantage-rbac-rls-non-negotiable-v1-gate
- rbac-rls-at-query-execution-layer-is-non-negotiable-enterpri
- rbac-rls-must-enforce-at-query-execution-not-ui
- rls-at-query-execution-layer-enterprise-bi-non-negotiable
- widget-exactly-one-source-invariant-enforced-three-layers