Deployments and Infrastructure > Extensions > Encryption
Encryption
Learn how to configure and use the built-in encryption service in Webiny.
- how to configure the encryption passphrase in
webiny.config.tsx - how to inject and use the
Encryptionservice in your API extensions
Overview
Webiny includes a built-in encryption service that lets you encrypt and decrypt strings using AES-256-GCM. It is available as a DI token (Encryption) that can be injected into any API feature.
The passphrase is configured in webiny.config.tsx via Infra.Encryption. When not configured, encrypt and decrypt pass values through unchanged, so existing deployments continue to work without modification.
Deploying to a production environment without encryption configured will fail with an error. Configure the passphrase before deploying to production.
Configuration
Set the passphrase in webiny.config.tsx. Scope it to production environments so development deployments are unaffected:
Store the passphrase in an environment variable and never commit it to source control.
Usage
Inject Encryption into any API feature:
Redeploying After Changes
After making changes, redeploy by running the webiny deploy command:
Use --env <name> to target a specific environment if needed.