Module encryption 

Field-level encryption for sensitive session data stored at rest.

Uses AES-256-GCM (authenticated encryption with associated data) to encrypt individual fields before they are written to SQLite. Each encrypted value is prefixed with a random 12-byte nonce, then base64-encoded for safe storage in TEXT columns.

Encryption is optional: when no key is configured, the storage layer stores data in plaintext (backward compatible). The key is loaded from the ARBITER_STORAGE_ENCRYPTION_KEY environment variable as a 64-character hex string (32 bytes).

Structs

FieldEncryptor

Field-level encryption using AES-256-GCM.

Enums

EncryptionError

Errors from encryption / decryption operations.