# Data Encryption Data Encryption can be applied to workflow-specific variables and submitted form data. Which data will be encrypted at which level is defined in the workflow. > Data is always stored unencrypted in the database layer. # Encryption Configuration Encyription configuration is set at the JsonSchema level. There are two types of json schema in the project. The first is the schemes defined for each transition. The second is the fields that will be used for /data endpoints, which include variables of workflows or data returned by workers within workflows. ## Sample Schema including "$encrypt" configuration. ```json { "$id": "https://example.com/person.schema.json", "$schema": "https://json-schema.org/draft/2020-12/schema", "title": "Person", "type": "object", "properties": { "firstName": { "type": "string", "description": "The person's first name." }, "lastName": { "type": "string", "description": "The person's last name.", "$encrypt": true }, "age": { "description": "Age in years which must be equal to or greater than zero.", "type": "integer", "minimum": 0 } } } ``` # Encryptions Points ## "$encrypt": false ```mermaid sequenceDiagram participant C as Client participant G as Gateway participant A as Amoprhie participant W as Workflow Engine participant S as Sub Service C->>G: Not Encrypted G->>A: Not Encrypted A->>W: Not Encrypted W->>S: Not Encrypted ``` ## "$encrypt": true && Client has mTLS connection ```mermaid sequenceDiagram participant C as Client participant G as Gateway participant A as Amoprhie participant W as Workflow Engine participant S as Sub Service C->>G: Encrypted (With Client key) G->>A: Encrypted (With GW key) A->>W: Encrypted W->>S: Not Encrypted ``` ## "$encrypt": true && Client has **not** mTLS connection ```mermaid sequenceDiagram participant C as Client participant G as Gateway participant A as Amoprhie participant W as Workflow Engine participant S as Sub Service C->>G: Not Encrypted G->>A: Encrypted (With GW key) A->>W: Encrypted W->>S: Not Encrypted ```