Encryption Overview

FluentDynamoDB supports field-level encryption using AWS KMS and the AWS Encryption SDK.

How It Works

FluentDynamoDB uses envelope encryption to protect sensitive fields. Mark any property with [Encrypted] and the library handles encryption on write and decryption on read:

[DynamoDbTable("customers")]
public partial class Customer
{
    [PartitionKey]
    [DynamoDbAttribute("pk")]
    public string CustomerId { get; set; } = string.Empty;

    [Encrypted]
    [Sensitive]
    [DynamoDbAttribute("ssn")]
    public string SocialSecurityNumber { get; set; } = string.Empty;
}

Configure the encryptor when creating your table instance:

var keyResolver = new DefaultKmsKeyResolver("arn:aws:kms:us-east-1:123456789012:key/my-key-id");
var encryptor = new AwsEncryptionSdkFieldEncryptor(keyResolver);

var options = new FluentDynamoDbOptions()
    .WithEncryption(encryptor);

var table = new CustomersTable(client, "customers", options);

When to Use Encryption

Sensitive personal data (PII)
Financial information
Healthcare records (HIPAA)
Compliance requirements (GDPR, PCI-DSS)

Performance Considerations

Field-level encryption adds overhead per operation. Encrypt only the fields that need it, not entire items. The envelope encryption pattern minimizes KMS API calls by generating a data key once per operation.

Next Steps

KMS Setup - Create and configure your KMS key
Field-Level Encryption - Mark fields for encryption
Envelope Encryption - Understand the encryption pattern

How It Works​

When to Use Encryption​

Performance Considerations​

Next Steps​

How It Works

When to Use Encryption

Performance Considerations

Next Steps