Inbound Relay

Collect sensitive data without touching it in plaintext.

Automatically encrypt sensitive data at the field-level before it enters your app, and decrypt it as it leaves. Integrate in 5 minutes by including our SDK and changing a DNS record.

Using Inbound Relay means you can collect sensitive data (like credit card numbers, SSNs, credentials and health data) from your users and share it with third-parties without ever handling it in plaintext.

How Inbound Relay Works

Start encrypting sensitive data in minutes.

  1. Set Relay domain: Point your app to Relay and set its target using either an auto-generated Evervault domain or your own custom domain.
  2. Add fields to encrypt: Select global or route-specific fields for Relay to automatically encrypt and decrypt.
Evervault Dashboard → Create Relay

Relay can be configured to intercept and encrypt inbound data to your API. By providing us with the URL or DNS targets for your API, we will generate a new Relay URL on the subdomain. All requests to this Relay subdomain will be terminated by Evervault. Relay isolates the fields to be encrypted and passes them to E3 for encryption. Relay then reconstructs the original request and passes it on to your API transparently.

If you'd prefer to use your own domain name, you can simply specify a custom domain when you create your Relay. The dashboard will guide you through the steps necessary to create a CNAME record and point your domain name to Relay.

All responses that your API returns will be passed back to the client transparently through Relay. Any fields returned containing encrypted data will also be decrypted before being returned to the client. This means your infrastructure never handles anything other than ciphertext, but your users can still see requests and responses in plaintext.

Relay supports WebSockets. Simply use your Relay hostname as the WebSocket target and we will transparently encrypt/decrypt all client-server and server-client messages containing JSON.

You can specify fields to encrypt by name or by using JSONPath selectors in the Evervault Dashboard.

Relay supports field encryption up to a payload size of 10MB.

You don’t need to change your database configuration, although Evervault-encrypted strings are marginally longer than the original value. This may require you to increase length limits on fields, as well as convert certain datatypes from numeric values to strings. You can store Evervault-encrypted data in your database as you would the plaintext version.

Was this page useful?