EncryptionConfig

EncryptionConfig = { mode: "none"; } | { mode: "sse-s3"; } | { kmsKeyId: string; mode: "sse-kms"; } | { info?: string; masterKey: Uint8Array; mode: "client-aes256-gcm"; } | { info?: string; masterKeys: MasterKeyRing; mode: "client-aes256-gcm"; }

Defined in: src/persistence/PersistenceOptions.ts:70

Encryption directive — supports server-side modes (handed to the backend as a header / param) and client-side AES-256-GCM with a 32-byte master key from which a per-pid subkey is derived via HKDF.

The client-side variant accepts either a single masterKey (legacy, implicitly version 0 — backwards compatible with bodies written before rotation support landed) or a masterKeys ring with one active entry plus optional retired entries (#8).