Encryption
EndpointVault uses AES-256 encryption to protect your captured data. Your encryption key never leaves the device — only encrypted payloads are sent to the server.
How It Works
- You provide a 32-character encryption key during initialization
- Request/response payloads are encrypted client-side before transmission
- Only encrypted data is stored on the server
- You decrypt data using your key when viewing events
Important: EndpointVault cannot read your encrypted data.
If you lose your encryption key, the data cannot be recovered.
Encryption Algorithm
- Algorithm: AES-256-CBC
- Key size: 256 bits (32 characters)
- IV: Random 16-byte IV generated per encryption
- Format: Base64-encoded
[IV][ciphertext]
Key Management
Using a 32-character key
Provide a strong 32-character key directly:
await EndpointVault.init(
apiKey: 'your-api-key',
encryptionKey: 'your-32-character-secure-key!!!',
);Using a shorter key
If your key is shorter than 32 characters, the SDK automatically derives a 32-byte key using SHA-256:
// This works — key will be derived via SHA-256
await EndpointVault.init(
apiKey: 'your-api-key',
encryptionKey: 'my-shorter-password',
);
Security tip: Use a strong, randomly generated 32-character key for production.
Store it securely (e.g., in environment variables or a secrets manager).
Manual Encryption
You can use the encryption service directly:
final encryption = EncryptionService('your-encryption-key');
// Encrypt a string
final encrypted = encryption.encrypt('sensitive data');
// Decrypt
final decrypted = encryption.decrypt(encrypted);
// Encrypt JSON
final encryptedJson = encryption.encryptJson({'user': 'data'});
final decryptedJson = encryption.decryptJson(encryptedJson);
// Generate a fingerprint (for deduplication)
final fingerprint = encryption.fingerprint('data');File Encryption
File attachments are also encrypted using AES-256:
// Encrypt bytes
final encryptedBytes = encryption.encryptBytes(fileBytes);
// Decrypt bytes
final decryptedBytes = encryption.decryptBytes(encryptedBytes);
// Encrypt to file
await encryption.encryptBytesToFile(
data: fileBytes,
outputPath: '/path/to/encrypted.enc',
);
// Decrypt from file
final bytes = await encryption.decryptFileToBytes('/path/to/encrypted.enc');What Gets Encrypted
The following data is encrypted before being sent to the server:
- Request headers (after redaction)
- Request body
- Response headers
- Response body
- File attachment metadata (filename, field name, content type)
- File attachment data
The following is not encrypted (for analytics/filtering):
- Request method (GET, POST, etc.)
- URL/endpoint path
- Status code
- Error type
- Timestamp
- App version and environment
- Request duration
Best Practices
- Generate a strong key: Use a cryptographically random 32-character string
- Store securely: Never hardcode keys in source code; use environment variables
- Rotate periodically: Consider rotating keys for new projects
- Backup your key: Store a backup in a secure location
- Don't share: Each project should have its own unique key