is it safe store user secrets in convex or should i use external services like cloudflare kv
#is it safe store user secrets in convex
cinder stag
iron oliveBOT
Hi @cinder stag. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:
Convex encrypts all user data at rest and replicates it durably across availability zones. [Status & guarantees] This includes anything you store in tables as well as environment variables. [Env vars]
From the available information:
- Storing secrets in Convex is supported and commonly done. Convex staff explicitly suggest keeping encryption keys/salts in environment variables and storing only encrypted values in tables. [Key management; Env vars]
- For API keys and similar, one recommended pattern is:
- Generate a symmetric key (or salt) and store it in Convex env vars.
- Encrypt user secrets in Convex functions using that key.
- Store only the encrypted blobs in Convex tables. [Key management]
Convex team members also note that even if you used an external vault (AWS Secrets Manager, etc.), if an attacker gains access to your Convex dashboard and can deploy code, they can exfiltrate decrypted data anyway. So the main protection is controlling dashboard access (MFA, least privilege) rather than where the key technically lives. [Key management]
They acknowledge that a “vault-like” feature (non-viewable secrets, stricter dashboard controls) would be useful and is being considered, but it doesn’t exist yet. [Key management]
How this compares to Cloudflare KV / external services
The knowledge sources don’t directly compare Convex to Cloudflare KV or give guidance on when to choose an external secret store, so I can’t say more than:
- Convex is designed to safely store application data and secrets (with encryption at rest).
- For many apps, using Convex env vars + encrypted fields is considered sufficient by the Convex team.
- If you have stricter compliance or organizational requirements that mandate a dedicated secrets manager, you may still choose an external service, but that’s not covered in detail in the sources.
Practical takeaway
Based on the docs and support threads:
- It is generally safe and supported to store user secrets in Convex, especially if:
- You keep encryption keys in Convex environment variables, and
- You store only encrypted user secrets in tables.
- Using an external store like Cloudflare KV is an additional architectural choice, not a requirement from Convex’s side; the provided materials don’t state that you must or should move secrets out of Convex for security.