nself-vault

Per-row and per-column selective encryption managed entirely within your nSelf instance. Uses libsodium envelope encryption — a Data Encryption Key (DEK) per row, wrapped by your Key Encryption Key (KEK). Provides key rotation, an immutable audit log of all encrypt/decrypt operations, and a Hasura Action surface so your frontend can call encryption directly via GraphQL without writing any crypto code.

Install

nself plugin install nself-vault
nself build
nself start

Configuration

How envelope encryption works

When you encrypt a value, the plugin generates a unique DEK for that row using libsodium secretbox. The DEK is then wrapped (encrypted) with your KEK and stored alongside the ciphertext. Decryption reverses the process: unwrap the DEK with the KEK, decrypt the ciphertext. Rotating keys means re-wrapping all DEKs with the new KEK — the ciphertext itself is unchanged.

Hasura Action surface

The plugin registers a Hasura Remote Schema exposing encryptValue, decryptValue, encryptBatch, decryptBatch, and rotateKeys mutations. Frontend apps can call these directly via GraphQL with their JWT without implementing any encryption logic.

Key rotation

# 1. Set the new KEK
VAULT_KEK_V2=your-new-32-byte-key-hex

# 2. Update version to target v2
VAULT_CURRENT_KEK_VERSION=2

# 3. Rebuild and restart — rotation runs on startup
nself build
nself start

# The plugin re-wraps all DEKs from v1 to v2 in the background.
# Old v1 DEK records are kept until rotation completes.

Related

• byok: Customer-managed keys via AWS KMS, GCP KMS, or HashiCorp Vault Transit
• hipaa: HIPAA safeguards that verify encryption on PHI columns
• compliance: Compliance posture management

Pro Plugin — ɳSelf+ | Port: 3823 | v1.0.0