Skip to content

Encrypted

Field annotation for marking event fields that should be encrypted.

This annotation is used in combination with DataSubject to implement crypto-shredding, allowing for GDPR-compliant data removal in event-sourced systems.

Parameters:

Name Type Description Default
mask_value Any

Value to display when the data is shredded (deleted). Must match the field type.

 required
subject_field str | None

Optional. Name of the field containing the subject ID for this encrypted field. If not provided, the field marked with DataSubject will be used.

 None
Example 
class UserRegistered(Event):
    user_id: Annotated[str, DataSubject]
    email: Annotated[str, Encrypted(mask_value="[REDACTED]")]
    # Custom subject field
    other_data: Annotated[
        str,
        Encrypted(
            mask_value="[HIDDEN]",
            subject_field="alternative_id",
        ),
    ]
Note
  • Every event with encrypted fields must have exactly one DataSubject field.
  • The mask_value type must match the field type.
  • After shredding, the field will always return its mask_value.
Source code in event_sourcery/event_store/event/_dto.py 
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
@dataclass(frozen=True)
class Encrypted:
    """Field annotation for marking event fields that should be encrypted.

    This annotation is used in combination with DataSubject to implement
    crypto-shredding, allowing for GDPR-compliant data removal in event-sourced systems.

    Args:
        mask_value: Value to display when the data is shredded (deleted).
                    Must match the field type.
        subject_field: Optional. Name of the field containing the subject ID for this
                      encrypted field. If not provided, the field marked with
                      DataSubject will be used.

    Example:
        ```python
        class UserRegistered(Event):
            user_id: Annotated[str, DataSubject]
            email: Annotated[str, Encrypted(mask_value="[REDACTED]")]
            # Custom subject field
            other_data: Annotated[
                str,
                Encrypted(
                    mask_value="[HIDDEN]",
                    subject_field="alternative_id",
                ),
            ]
        ```

    Note:
        - Every event with encrypted fields must have exactly one DataSubject field.
        - The mask_value type must match the field type.
        - After shredding, the field will always return its mask_value.
    """

    mask_value: Any
    subject_field: str | None = None