5. Encryption

Supported Encryption Engine

OPV’s encryption is designed to work with multiple encryption engines. Currently supported encryption engines are

  • NaCl
    • Secretbox
  • Hashicorp Vault (TODO)
    • Transit Secret

Built-in secretbox encryption engine

Secretbox uses XSalsa20 and Poly1305 to encrypt and authenticate messages with secret-key cryptography.

For example, to configure the built-in secretbox encryption engine, you can set a list of secret keys to use. The first key is always the secret key for encryption, and all the keys will be used for decryption, which allows key rotation.


Make sure you use a secure random string generator with 32 bytes.

Hashicorp Vault Transit Secret Engine


Encryption Engine Configuration

For more details, see Env Configuration →.

Edit this page on GitHub