Waterwheel should use encryption-at-rest of the values stored in the Stash.
While it would be normal to encrypt the database's physical storage (at least it's normal in cloud providers like AWS RDS), and encrypt network traffic with SSL, the value in the database should be encrypted too (to prevent viewing by connecting to the database directly).
Airflow uses Fernet which seems like a reasonable choice. See https://docs.rs/fernet/latest/fernet/
The Fernet key should be provided securely to the waterwheel API processes only.
Waterwheel should use encryption-at-rest of the values stored in the Stash.
While it would be normal to encrypt the database's physical storage (at least it's normal in cloud providers like AWS RDS), and encrypt network traffic with SSL, the value in the database should be encrypted too (to prevent viewing by connecting to the database directly).
Airflow uses Fernet which seems like a reasonable choice. See https://docs.rs/fernet/latest/fernet/
The Fernet key should be provided securely to the waterwheel API processes only.