Data Encryption Agent Skill
Data encryption — TLS everywhere, AES-256-GCM for PII, bcrypt passwords, encrypted backups.
The Skill
Full content, every format. Copy it, download it, or install with one command.
---
description: Data encryption — TLS everywhere, AES-256-GCM for PII, bcrypt passwords, encrypted backups.
homepage: https://yepapi.com/skills/data-encryption
metadata:
tags: [security, encryption, tls, privacy]
---
# Data Encryption
## Rules
- TLS everywhere: redirect HTTP to HTTPS, set HSTS headers, never allow unencrypted connections
- Encrypt PII columns at the application level with AES-256-GCM before storing in the database
- Hash emails with SHA-256 for lookup, encrypt with AES-256-GCM for display — enables search without exposing data
- Passwords: bcrypt or argon2id only — never SHA, MD5, or reversible encryption
- Encrypt database backups and store encryption keys separately from the data
- Use `crypto.subtle` for browser-side encryption, `node:crypto` for server-side
- Store encryption keys in a secrets manager, never in code or alongside encrypted data
\`\`\`ts
// AES-256-GCM encrypt/decrypt in Node.js
import { createCipheriv, createDecipheriv, randomBytes } from "node:crypto";
const ENCRYPTION_KEY = Buffer.from(process.env.ENCRYPTION_KEY!, "hex"); // 32 bytes
function encrypt(plaintext: string): string {
const iv = randomBytes(12);
const cipher = createCipheriv("aes-256-gcm", ENCRYPTION_KEY, iv);
const encrypted = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
const tag = cipher.getAuthTag();
return Buffer.concat([iv, tag, encrypted]).toString("base64");
}
function decrypt(ciphertext: string): string {
const buf = Buffer.from(ciphertext, "base64");
const iv = buf.subarray(0, 12);
const tag = buf.subarray(12, 28);
const encrypted = buf.subarray(28);
const decipher = createDecipheriv("aes-256-gcm", ENCRYPTION_KEY, iv);
decipher.setAuthTag(tag);
return decipher.update(encrypted) + decipher.final("utf8");
}
\`\`\`
## Avoid
- Storing PII in plaintext — one database breach exposes everything
- Using ECB mode or AES without authentication (CBC without HMAC) — use GCM
- MD5 or SHA for password hashing — they are not password hashing algorithms
- Hardcoding encryption keys in source code — use environment variables or a KMS
- Sending sensitive data over HTTP, even internally — use TLS for all connectionsInstall
Why Use the Data Encryption Skill?
Without this skill, your AI guesses at data encryption patterns. It might hallucinate deprecated APIs, use outdated conventions, or miss best practices entirely. With it, your AI follows a proven ruleset — every suggestion aligns with current standards.
Drop this skill into your project and your AI instantly knows the rules. Better code suggestions, fewer errors, faster shipping.
Try These Prompts
These prompts work better with the Data Encryption skill installed. Your AI knows the context and writes code that fits.
"Implement AES-256-GCM encryption for PII columns in my database"
"Add HSTS headers and HTTP to HTTPS redirect to enforce TLS everywhere"
"Create an encrypt/decrypt utility for sensitive user data with key management"
Works Great With
Data Encryption skill — FAQ
It provides rules for TLS configuration, AES-256-GCM encryption for PII, proper password hashing, and encrypted backup storage. Your AI writes encryption code that protects sensitive data at rest and in transit.
Run `npx skills add YepAPI/skills --skill data-encryption` in your project root. This copies the skill file into your repo where your AI coding tool can read it automatically.
Use AES-256-GCM for encrypting PII at the application level. GCM provides both encryption and authentication, preventing tampering. The skill includes a complete Node.js implementation with proper IV and auth tag handling.