Encrypted Credential Storage & Key Rotation
Encrypted Credential Storage & Key Rotation
Available from v1.0.6
Sidekick stores credentials for all connected accounts — OAuth tokens, API keys, and service secrets — encrypted at rest using AES-256-GCM. This page describes how encryption works, how key rotation operates, and how to manage encryption from your account.
Encryption at Rest
Every credential Sidekick holds on your behalf is encrypted before being persisted to storage. The encryption algorithm used is AES-256-GCM (Advanced Encryption Standard, 256-bit key, Galois/Counter Mode), which provides both confidentiality and integrity guarantees.
This covers:
- OAuth access tokens and refresh tokens (e.g. Google, GitHub, Slack)
- API keys for connected services
- Any other service secrets associated with your integrations
No credentials are stored in plaintext at any layer of the stack.
Key Rotation
Encryption keys are rotated periodically to limit the blast radius of any potential key compromise. Sidekick supports both automatic and manual key rotation.
Automatic Rotation
Sidekick performs scheduled key rotation automatically. During a rotation:
- A new encryption key is generated.
- All stored credentials are re-encrypted with the new key in the background.
- The old key is retired once re-encryption is complete.
This process is zero-downtime — active sessions, running automations, and connected integrations continue operating without interruption throughout the rotation.
Manual Rotation
You can trigger a key rotation at any time from your account security settings:
- Navigate to Settings → Security.
- Under the Credential Encryption section, click Rotate Encryption Key.
- Confirm the action. Re-encryption begins immediately in the background.
- The Encryption Status panel will update once rotation is complete.
Encryption Status
The Encryption Status view in your dashboard provides visibility into the current state of your stored credentials:
| Field | Description |
|---|---|
| Encryption Algorithm | The algorithm currently in use (AES-256-GCM) |
| Last Rotation | Timestamp of the most recent key rotation |
| Status | Whether credentials are fully encrypted and up to date |
To view encryption status: navigate to Settings → Security → Credential Encryption.
Migration for Existing Accounts
Accounts created before v1.0.6 are upgraded automatically. Credentials stored prior to this release are re-encrypted on first access, or during the next scheduled rotation cycle — whichever comes first. No manual action is required.
Frequently Asked Questions
Do I need to reconnect my integrations after a key rotation? No. Key rotation is transparent to all connected services. Your integrations remain active throughout the process.
What happens if a rotation is interrupted? Rotation is designed to be safe to restart. If a rotation is interrupted before completion, the system will resume re-encryption on the next rotation cycle. Credentials are never left in a partially-encrypted state.
Can I see which specific credentials have been rotated? The Encryption Status view shows the overall status for your account. Per-credential rotation logs are not currently exposed in the UI.