Data Encryption for Self-Hosted Platforms

Encryption in Transit (TLS)#

All traffic must be served over HTTPS. On a typical VPS setup with Nginx:

server {
    listen 443 ssl http2;
    ssl_certificate     /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;
}

Use certbot to provision and auto-renew Let's Encrypt certificates. Redirect all HTTP to HTTPS with a 301.

Encryption at Rest#

Database: Enable MySQL encryption for tables containing PII:

ALTER TABLE subscribers ENCRYPTION='Y';
ALTER TABLE contacts ENCRYPTION='Y';

This requires MySQL 5.7.11+ with InnoDB encryption enabled in my.cnf.

File storage: For uploaded attachments or exports, use encrypted volumes. On AWS, use EBS volumes with KMS encryption. On bare metal, use LUKS.

Application-Level Encryption#

For highly sensitive fields (e.g., GDPR consent records), use Laravel's encrypt() helper:

$subscriber->consent_text = encrypt($consentText);
// Retrieve:
$plain = decrypt($subscriber->consent_text);

Store the APP_KEY securely (not in your repo) — it's the master key.

Backups#

Encrypt database backups before storage:

mysqldump acelle_db | gzip | gpg --symmetric --cipher-algo AES256 -o backup.sql.gz.gpg

Rotate encryption keys annually and document the rotation procedure.