Stats
Actions
Tags
From lgpd-skills
Configures encryption at rest, in transit, and key management aligned with LGPD Art. 46 and ANPD guidelines. Includes column-level encryption with Prisma/PostgreSQL and KMS setup.
How this skill is triggered — by the user, by Claude, or both
Slash command
/lgpd-skills:lgpd-encryption-keysThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Art. 46 LGPD + Guia de Segurança da Informação para ATPP (ANPD, 2021).
Art. 46 LGPD + Guia de Segurança da Informação para ATPP (ANPD, 2021).
max-age=31536000; includeSubDomains; preload)react-native-ssl-pinning ou equivalente)Para CPF, biometria, dados de saúde, tokens de auth — criptografia adicional em coluna:
// lib/crypto/field-encryption.ts
import { createCipheriv, createDecipheriv, randomBytes } from "crypto";
const KEY = await loadKeyFromKMS(); // 32 bytes
export function encryptField(plain: string): string {
const iv = randomBytes(12);
const cipher = createCipheriv("aes-256-gcm", KEY, iv);
const enc = Buffer.concat([cipher.update(plain, "utf8"), cipher.final()]);
const tag = cipher.getAuthTag();
return Buffer.concat([iv, tag, enc]).toString("base64");
}
export function decryptField(encoded: string): string {
const buf = Buffer.from(encoded, "base64");
const iv = buf.subarray(0, 12);
const tag = buf.subarray(12, 28);
const enc = buf.subarray(28);
const decipher = createDecipheriv("aes-256-gcm", KEY, iv);
decipher.setAuthTag(tag);
return Buffer.concat([decipher.update(enc), decipher.final()]).toString("utf8");
}
Prisma extension para criptografia transparente:
const prisma = new PrismaClient().$extends({
query: {
user: {
async create({ args, query }) {
if (args.data.cpf) args.data.cpf = encryptField(args.data.cpf);
return query(args);
},
async findUnique({ args, query }) {
const r = await query(args);
if (r?.cpf) r.cpf = decryptField(r.cpf);
return r;
}
}
}
});
Use KMS gerenciado (AWS KMS, GCP KMS, Azure Key Vault) ou HashiCorp Vault para chaves de aplicação.
Para suportar Art. 18, VI (eliminação):
Útil quando há retenção legal de outros campos mas o restante deve ser eliminável.
Better Auth usa hash padrão (Argon2id ou bcrypt). Configure:
## F7 — Encryption ✓
- TLS 1.3 + HSTS confirmados
- TDE habilitado no Postgres
- KMS configurado com 3 chaves (identidade, financeiro, saúde)
- Crypto-shredding implementado para campos críticos
- Rotação anual em calendário
- Próximo: lgpd-retention-erasure
npx claudepluginhub goul4rt/lgpd-skills --plugin lgpd-skillsConfigures encryption at rest, in transit, and key management aligned with LGPD Art. 46 and ANPD guidelines. Includes column-level encryption with Prisma/PostgreSQL and KMS setup.
Encrypts sensitive data at rest using AES-256-GCM with authenticated encryption and proper key management. Invoked when discussing PII, health records, financial data, or cryptographic keys.
Provides cryptography guidance on encryption (AES-256-GCM, ChaCha20), password hashing (Argon2id, bcrypt), signatures (Ed25519), TLS config, key management. Use for implementing or reviewing crypto.