Vercel

Vercel Adds Automatic End-to-End Encryption to Workflow DevKit


Executive Summary

Vercel has launched automatic end-to-end encryption for its Workflow DevKit, securing all data flowing through a workflow's event log without requiring any code changes from developers. This feature encrypts sensitive information such as API keys and user credentials, ensuring that only ciphertext is stored. Developers can decrypt data on-demand via the web dashboard or CLI, with access controlled by existing permissions and all decryption events tracked in the audit log.

Key Takeaways

* Automatic E2EE: Workflow inputs, step arguments, return values, and other data are automatically encrypted with AES-256-GCM before being written to the event log.

* Zero-Configuration: The feature is enabled by default on Vercel and requires no developer intervention or code modification.

* Secure Decryption Methods: Data can be decrypted either in the browser via the Web Crypto API (ensuring the server never sees plaintext) or through a CLI command with a `--decrypt` flag.

* Per-Deployment Keys: Each Vercel deployment receives a unique encryption key, and each individual workflow run derives its own unique key from it.

* Permission & Audit Controls: Decryption access is tied to a user's permission to view project environment variables, and every decryption request is recorded in the Vercel audit log.

* Extensibility: Custom "World" implementations can opt into the feature by providing their own encryption key method.

Strategic Importance

This feature significantly strengthens Vercel's security posture, making its workflow tooling more suitable for enterprise-grade applications and use cases involving sensitive data processing.

Original article