Custom Tag-based field encryption/decryption blog series


From the Health Insurance Portability and Affordability Act (HIPAA) of the United States to the latest General Data Protection Regulation (GDPR) of the European Union, various compliance regulations have requirements for data field encryption/decryption to ensure data privacy and security. It is inevitable to encrypt data at rest to comply with the various compliance standard rules.

Data encryption isometric flowchartFig 1: Data encryption isometric flowchart.

Encryption has its own set of challenges and efforts involved and might be time-consuming based on the complexity and number of fields, and the functional impact it influences on the system. To tackle this, an in-home framework for encryption/decryption which requires minimum changes from a developer has been developed. This framework is reliable, robust, and adapts itself well for any key rotations.

Advanced Encryption Standard (AES-256) has been used for the above framework.

AES encryption is a symmetric method established by the U.S. National Institute of Standards and Technology. Through a series of robust security steps and a complex 256-bit decryption key, this standard is nearly impossible to break with brute-force methods and has been approved for the handling of confidential data by the U.S. Government.

Possible ways of encrypting and decrypting the data are:

  • At the database layer.
  • At the code layer using standard package.
  • At the code layer, using third-party libraries.

However, some of the drawbacks that come along while implementing the above steps are:

  • There is a manual task involved to encrypt the data before inserting it into DB and then decrypting back to show the API response.
  • Increases Broilerplate code
  • Dependency on third-party libraries
  • Requires more development efforts (Typically 1- 2 days based on complexity)


A custom tag-based field encryption-decryption framework has been developed for a project using Golang as a back-end programming language. The framework is currently developed in a private setup.

Some benefits of the framework are:

  • Easy to plug in.
  • Can be reused by any number of projects
  • Less / No Broilerplate code
  • Considerable effort and time savings.

Steps to encrypt and decrypt using the newly developed framework.

  • Add a tag named `transcode:”” ` across the fields that need to be encrypted
  • Invoke the encode and decode methods of the framework to encrypt and decrypt the data, respectively.

Under the hood of the framework

  • The 32 bytes key is maintained in the secret manager and read via the environment file.
  • The Block Cipher is formed only once during server startup using the above key.
  • The framework uses the reflection technique to read the tags from the struct.
  • It encodes/decodes the field accordingly based on the type of the field.

Let’s dive into the implementation using the custom tag-based field encryption framework

need to be encrypted-decryptedFig 2: The above snippet shows the tags across the fields that need to be encrypted-decrypted.

customer’s first name, last name, and email IDFig 3: The above example helps to encrypt the customer’s first name, last name, and email ID.

customer’s first name, last name, and email ID.Fig 4: The above example helps to decrypt the customer’s first name, last name, and email ID.

How is the framework unique and efficient?

  • The framework is scalable and works seamlessly with all projects running on Golang.
  • There is not much of an impact on the performance, as the blob cipher is formed using the 32 bytes key on the server start-up.
  • Third-party packages in the market provide encrypting features, but they do not support encryption and decryption together.

Future Scope

In the above example, tag-based encryption and decryption are achieved with a minimal amount of coding effort. However, there is a scope for optimization in the area where the Encode and Decode methods are invoked. Instead of calling these methods every time encryption or decryption is required, what if the fields got encrypted just by adding only tags and a few gorm hooks?

Stay tuned for the second part of this blog to know more about this…. and contact us for details or visit us

Authored by –

Abhilash Bhat