API Key Security & Encryption

Your AI API keys are credentials that grant access to your provider account and affect your billing. Evrykit takes several steps to ensure they are stored safely and never exposed unnecessarily.

How Keys Are Stored

When you save an API key in Settings → AI Keys, Evrykit immediately encrypts it before writing anything to the database. The original key value is never persisted in plaintext anywhere in the system.

Encryption Algorithm

Keys are encrypted using AES-256-GCM (Advanced Encryption Standard, 256-bit key, Galois/Counter Mode). This is the same algorithm used by modern browsers for HTTPS and by major cloud providers for at-rest encryption.

Each encrypted value is self-contained and uses the format:

base64( IV[12 bytes] + ciphertext + auth_tag[16 bytes] )

• IV (Initialisation Vector): A unique random 12-byte value generated fresh for every encryption operation. This means even if you save the same key twice, the stored ciphertext will be different each time.
• Auth tag: A 16-byte Galois authentication tag. If the ciphertext is tampered with in any way, decryption will fail with an error rather than silently returning corrupt data. This provides authenticated encryption — you cannot undetectably modify stored key data.

Encryption Key

The encryption key itself is derived from the ENCRYPTION_KEY environment variable, which is configured on your server and never stored in the database or committed to source control. This means that even if someone obtained a full database dump, they could not decrypt your API keys without also having the server's environment configuration.

What Is Displayed in the UI

The settings view never shows your full API key. When a key is configured, the display shows a masked preview in the form:

AIzaSy••••••••GZo

This shows the first 4 and last 3 characters only — enough to confirm which key is configured, but not enough to reconstruct it. The edit form placeholder shows the same masked value so you know a key is present without revealing it.

When Keys Are Used

A key is decrypted from the database exactly once per AI request — in memory, on the server, at the moment the request is made. The decrypted key value:

• Is used to make the HTTP request to the AI provider API
• Is never written to logs, session storage, or any persistent location
• Is discarded when the request completes

Keys are never sent to the browser. The frontend communicates with Evrykit's own /ai/report/analyze/stream endpoint, and Evrykit's backend handles the provider communication using the stored key.

Key Isolation Per Tenant

Each organisation (tenant) in Evrykit stores its own encrypted AI keys. One tenant's keys are completely separate from another's. There is no shared key pool and no way for one tenant to access another tenant's AI configuration.

What To Do If a Key Is Compromised

If you suspect an API key has been leaked (for example, if you accidentally pasted it somewhere public):

1. Revoke the key immediately in the provider's dashboard:

   • Gemini: aistudio.google.com → API Keys → Delete
   • Claude: console.anthropic.com → API Keys → Disable
   • OpenAI: platform.openai.com/api-keys → Revoke

2. Generate a new key from the same provider dashboard.

3. Update the key in Evrykit via Settings → AI Keys. Paste the new key into the relevant field and save. The old encrypted value will be replaced.

4. Check your provider's usage logs for any unexpected API calls that occurred while the key was exposed.

Recommendations

• Use a dedicated API key for Evrykit rather than reusing a key shared with other tools. This makes revocation clean and usage monitoring clear.
• If your provider supports it, restrict the key to specific IP addresses (your server's IP) to prevent the key from being usable if obtained externally.
• Rotate keys periodically — every 6–12 months is a reasonable practice for any long-lived credential.
• Never paste API keys into chat tools, emails, or shared documents. Always update them directly through the Settings page.