# ADR-023: Per-attribute encryption, not per-node

## Status

Accepted

## Context

Encrypted data could be stored as an entire encrypted `attributes` blob or as individual encrypted attributes within the node. The choice affects queryability and schema design.

## Decision

The `EncryptedData` schema is a single attribute within a node type's attributes, not the entire node. Per-attribute encryption preserves queryability on non-sensitive fields — a secret node can have unencrypted metadata alongside the encrypted value. The node key (identity) is always readable for queries.

Encrypting the entire `attributes` column would make queries impossible (can't find "all secrets for client X" if the client reference is encrypted).

## Consequences

- Only sensitive payload is encrypted; identity and metadata remain queryable
- `EncryptedDataSchema` validates the encryption envelope at write time
- Different graph types can have encrypted attributes without special table definitions

## References

- [encrypted-data.md](../encrypted-data.md)