# `PhoenixKit.Integrations.Encryption`
[🔗](https://github.com/BeamLabEU/phoenix_kit/blob/v1.7.165/lib/phoenix_kit/integrations/encryption.ex#L1)

AES-256-GCM encryption for sensitive integration credentials.

Encrypts fields like `access_token`, `refresh_token`, `client_secret`,
`api_key`, `bot_token`, `secret_key` before storing in the database.
Decrypts them when reading.

Uses the application's `secret_key_base` as the root key, deriving a
dedicated integration encryption key via PBKDF2.

## Configuration

Encryption is enabled by default when `secret_key_base` is configured.
To disable, set:

    config :phoenix_kit, integration_encryption_enabled: false

# `decrypt_fields`

```elixir
@spec decrypt_fields(map()) :: map()
```

Decrypt sensitive fields in an integration data map after reading.

Only values with the `enc:v1:` prefix are decrypted.
Non-encrypted values are returned as-is for backwards compatibility.

# `enabled?`

```elixir
@spec enabled?() :: boolean()
```

Check if encryption is available and enabled.

# `encrypt_fields`

```elixir
@spec encrypt_fields(map()) :: map()
```

Encrypt sensitive fields in an integration data map before saving.

Non-sensitive fields and nil/empty values are left unchanged.
Already-encrypted values (with `enc:v1:` prefix) are not re-encrypted.

# `sensitive_fields`

```elixir
@spec sensitive_fields() :: [String.t()]
```

Returns the list of field keys that are encrypted.

---

*Consult [api-reference.md](api-reference.md) for complete listing*