Deterministic Encryption & Blind Indexes

This release introduces first-class support for deterministic encryption and blind indexes, and hardens token parsing by validating encrypter IDs.

Breaking Changes

The driver contract now requires custom drivers to implement:

• blindIndex(payload, purpose): string
• blindIndexes(payload, purpose): string[]

If you maintain custom drivers, update them to match the new interface before upgrading.

New Features

Deterministic Encryption (AES-SIV)

This release introduces deterministic encryption through a new AES-SIV driver, designed for equality lookups on encrypted values.

import { Encryption } from '@boringnode/encryption'
import { aessiv } from '@boringnode/encryption/drivers/aes_siv'

const encryption = new Encryption(
  aessiv({
    id: 'users_email',
    key: process.env.APP_KEY!,
  })
)

You can then query deterministically encrypted values directly:

SELECT id, email_encrypted
FROM users
WHERE email_encrypted = :encrypted_email;

Blind Indexes

This release also adds blind index APIs across drivers, Encryption, and EncryptionManager, so you can perform equality lookups with dedicated index values, including key-rotation-friendly IN queries.

const indexes = encryption.blindIndexes('foo@example.com', 'users.email')

SELECT id, email_encrypted
FROM users
WHERE email_bidx IN (:idx1, :idx2, :idx3);

Bug Fixes

Encrypter IDs are now validated to prevent parsing ambiguity in ciphertext tokens:

• id must be non-empty
• id cannot contain .

Invalid IDs now fail fast with E_INVALID_ENCRYPTER_ID.