By NHI Mgmt Group Editorial TeamPublished 2026-06-16Domain: Best PracticesSource: WorkOS

TL;DR: Encrypting PII before it reaches the database shifts protection from storage controls to application-layer key boundaries, so plain SQL queries, exports, and tenant-leak bugs return ciphertext instead of readable user data, according to WorkOS. That makes decryption scope, object lifecycle, and key context part of the identity governance problem, not just the cryptography problem.


At a glance

What this is: This tutorial shows how application-layer encryption with WorkOS Vault keeps PII out of the database and ties encryption boundaries to organisation context.

Why it matters: It matters because IAM, NHI, and lifecycle teams need controls that protect data even when internal users, pipelines, or attackers can query the database directly.

👉 Read WorkOS's tutorial on encrypting PII with Vault in Node.js


Context

Encryption at rest only protects data on the storage medium. It does not protect PII once an engineer, analytics pipeline, or compromised database credential can issue a query, which is why application-layer encryption changes the real security boundary for multi-tenant identity programmes.

In this pattern, the database stores Vault object IDs instead of plaintext values, and the encryption key context is tied to the organisation ID. That makes tenant separation a governance control, not just an application design choice, because a leak in one tenant should not become a cross-tenant decryption path.


Key questions

Q: How should security teams protect PII when database encryption at rest is not enough?

A: Move the protection boundary into the application so sensitive values are encrypted before they reach the database. Store only opaque object references, keep the key context tied to the tenant, and restrict decryption to the exact workflows that truly need plaintext. That design limits the damage from SQL access, exports, and internal query abuse.

Q: Why does tenant-bound key context matter for encrypted user data?

A: Tenant-bound key context matters because it prevents one organisation's data from being decrypted with another organisation's key material. In multi-tenant systems, the critical failure is cross-tenant exposure, not just data loss. Matching the key boundary to the tenancy boundary turns encryption into an isolation control, not just a storage control.

Q: What do teams get wrong about deleting encrypted PII?

A: They often delete the plaintext row but leave copies behind in backups, analytics extracts, logs, or secondary tables. A Vault-style lifecycle works better because the application stores only IDs and deletion is performed on the encrypted object itself. The result is clearer erasure, provided every reference column is cleared too.

Q: How can organisations reduce unnecessary decryption of sensitive fields?

A: Use metadata-only operations for existence checks, version checks, and audit review, and decrypt only when a workflow actually needs the plaintext. That keeps sensitive values out of memory and logs for most requests. It also makes access review easier, because you can separate object management from data disclosure.


Technical breakdown

Application-layer encryption changes the trust boundary

Application-layer encryption means sensitive values are encrypted before they are written to the database, rather than relying on storage-layer encryption alone. The database can still be queried, exported, backed up, or copied, but it only sees ciphertext and object references. The practical shift is that decryption authority moves into a separate service boundary, so access to the database no longer implies access to readable PII. That matters in multi-tenant SaaS because tenant isolation must survive internal access, not just external compromise.

Practical implication: treat database access as insufficient protection and place encryption boundaries around the application object lifecycle, not just the storage layer.

Key context and object IDs enforce tenant separation

Vault operations use a context value, such as organisation ID, to choose the encryption key boundary for each object. The application stores the returned object ID, not the plaintext, so later reads and updates depend on the Vault reference rather than the raw value. This is a governance model as much as a technical one, because a leaked ID is not the same as a leaked secret when the context boundary is enforced correctly. In practice, the organisation context becomes part of the identity boundary for each PII record.

Practical implication: bind every sensitive object to the correct tenant context and persist only opaque Vault IDs in application records.

Describe, update, and delete operations separate lifecycle control from plaintext exposure

describeObject returns metadata such as object ID and version without decrypting the value, which is useful for existence checks, audit trails, and optimistic concurrency. updateObject changes the encrypted value while versionCheck prevents silent overwrite if another process has already changed the object. deleteObject removes the object so subsequent reads fail. Together, these operations create a lifecycle model where plaintext exists only when needed, and only for the shortest possible time. That reduces accidental exposure in logs, memory, and support workflows.

Practical implication: use metadata-only checks for most workflows, and reserve decryption for the exact moments when the application must display or process plaintext.



NHI Mgmt Group analysis

Application-layer encryption is the right response when storage-layer trust has already failed. Encryption at rest protects hardware loss, not database query privilege, API leakage, or internal export abuse. Once a team accepts that engineers, pipelines, and attackers can reach the data plane, the real control becomes where plaintext is allowed to exist. The implication is that identity governance must account for read paths, not just storage locations.

Vault object IDs create a narrow but meaningful control surface for PII governance. When the database stores opaque references instead of values, an exposure event becomes materially harder to exploit because the attacker no longer gets usable PII by default. That does not remove risk, but it changes blast radius and response priorities. Practitioners should treat object reference handling as part of the access model, not just a persistence detail.

Cryptographic key isolation by organisation context is a tenancy-control pattern, not a developer convenience. The same database row can become safe or unsafe depending on whether the key boundary matches the tenant boundary. This is especially important in multi-tenant SaaS, where cross-tenant decryption is the failure that matters most. The practitioner takeaway is that key context belongs in governance review alongside access reviews and offboarding logic.

PII lifecycle controls now overlap with identity lifecycle controls. The full CRUD pattern shows that create, read, update, and delete are not just data operations. They are governance events that determine who can materialise plaintext, when versions can change, and how erasure is completed. Teams that already manage non-human identity lifecycles should recognise the same discipline here: the security question is not only who can store data, but who can later recover it.

Application-layer encryption sharpens the boundary between human access and machine access, but it does not eliminate either. A support engineer, analytics job, or service credential can still trigger decryption if the application allows it. That means human IAM, workload identity, and secret handling remain part of the same control chain. Practitioners should read this pattern as a governance model for controlled plaintext exposure, not as a replacement for access management.

From our research:

  • 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
  • 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure.
  • The operational next step is to pair lifecycle cleanup with secret hygiene, as outlined in Guide to the Secret Sprawl Challenge.

What this signals

Secret sprawl debt: when sensitive values are copied into databases, exports, queues, and support tooling, the governance problem is no longer encryption at rest but where plaintext is allowed to reappear. Teams should expect application-layer encryption to become a baseline requirement in multi-tenant environments, especially where internal query access is broad.

The strongest signal here is not cryptographic sophistication, but lifecycle discipline. If your programme cannot tell where a protected value exists, who can decrypt it, and how it is deleted, the control is incomplete even when the database is encrypted. That makes object metadata, tenant context, and offboarding hygiene part of the same audit story.

For identity programmes that already manage service accounts and secrets, the pattern is familiar: control the reference, control the boundary, and control the lifecycle. The practical question is whether your current access model can tolerate plaintext only at the point of use, or whether it still depends on broad internal trust.


For practitioners

  • Store opaque Vault IDs in your application database Persist only the returned object IDs for email, phone, and address fields. Keep plaintext PII out of relational tables, exports, and debug-friendly denormalised copies so a query compromise returns references instead of usable personal data.
  • Bind each PII object to the correct organisation context Set the Vault context to the user's organisation ID for every create and update operation. Review tenant-boundary bugs as decryption risks, because a misplaced context value can break isolation even when the application logic looks correct.
  • Use describeObject for metadata checks only Check existence, version, and audit metadata without decrypting values unless plaintext is required. This reduces unnecessary exposure in memory and logs and keeps routine governance checks from becoming decryption events.

Key takeaways

  • Database encryption at rest does not protect PII once query access, exports, or internal credentials can reach it.
  • Storing opaque Vault IDs and tenant-bound key context turns encryption into a governance control, not just a storage feature.
  • The safest lifecycle is one where plaintext exists only at the moment of use and deletion removes the recoverable object itself.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01PII stored as IDs and encrypted objects maps to secret exposure and lifecycle control.
NIST CSF 2.0PR.AC-4Tenant-bound key context and access boundaries support least-privilege data access.
NIST Zero Trust (SP 800-207)PR.AC-1Application-layer encryption supports explicit trust boundaries beyond the storage tier.

Assume internal data paths are not trusted and restrict plaintext exposure to verified workflows.


Key terms

  • Application-layer encryption: Application-layer encryption means sensitive data is encrypted before it is written to storage, rather than relying only on disk or database encryption. The application decides when plaintext is created, while the encryption boundary is enforced outside the database, which reduces exposure from queries, exports, and backup copies.
  • Key context: Key context is the metadata used to select the correct encryption boundary for a data object, such as an organisation or tenant identifier. It ensures the same field can be protected differently depending on where it belongs, which is essential in multi-tenant systems and regulated-data separation.
  • Optimistic concurrency: Optimistic concurrency is a control pattern that prevents silent overwrites when multiple processes update the same object. A version check confirms the object has not changed since it was last read, so the application can reject or retry conflicting writes instead of losing data unnoticed.
  • Plaintext exposure window: A plaintext exposure window is the period when sensitive data exists in readable form in memory, logs, network responses, or application state. Minimising that window reduces the number of places where an attacker, insider, or misconfiguration can capture the data after decryption occurs.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.

This post draws on content published by WorkOS: Encrypting PII in a Node.js app with WorkOS Vault. Read the original.

NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org