docs(env): canonicalize FIELD_ENCRYPTION_KEY in .env.example (GOO-238)

Replace KYC_ENCRYPTION_KEY/KYC_ENCRYPTION_KEY_VERSION in .env.example with the canonical FIELD_ENCRYPTION_KEY/FIELD_ENCRYPTION_KEY_VERSION used by env-validation.ts and the rotation runbook. Update bootstrap.sh sed line to substitute the canonical name. Runtime still reads the legacy KYC_* vars as a deprecated fallback for existing operators. Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-24 13:38:05 +07:00
parent 9af9e1d84a
commit e97a89c3f1
13 changed files with 101 additions and 29 deletions
--- a/.env.example
+++ b/.env.example
@@ -202,14 +202,19 @@ SENTRY_ORG=
 SENTRY_PROJECT=

 # -----------------------------------------------------------------------------
-# KYC Field Encryption (REQUIRED in production)
+# Field Encryption (REQUIRED in production)
 #
-# AES-256-GCM key for encrypting sensitive KYC data at rest.
+# AES-256-GCM key for encrypting sensitive PII (KYC and other user fields) at rest.
 # Must be exactly 64 hex characters (32 bytes).
 #   openssl rand -hex 32
+#
+# Canonical names: FIELD_ENCRYPTION_KEY / FIELD_ENCRYPTION_KEY_VERSION.
+# The runtime still reads legacy KYC_ENCRYPTION_KEY / KYC_ENCRYPTION_KEY_VERSION
+# as a deprecated fallback (see field-encryption.service.ts); new deployments
+# should set FIELD_ENCRYPTION_KEY only.
 # -----------------------------------------------------------------------------
-KYC_ENCRYPTION_KEY=<generate with: openssl rand -hex 32>
-KYC_ENCRYPTION_KEY_VERSION=1
+FIELD_ENCRYPTION_KEY=<generate with: openssl rand -hex 32>
+FIELD_ENCRYPTION_KEY_VERSION=1

 # -----------------------------------------------------------------------------
 # Logging