Secrets / PII in Request/Response?

If I have activities that fetch/store secrets (out of Hashicorp Vault) or PII, how can I flag those feels to keep Temporal from logging them or making them visible in workflow run history?

I found a prior post where @ryland mentions Temporal’s DataConverter API to “automatically encrypt”, but looking at the converter package, I don’t see encryption anywhere in it. Is there an example somewhere of how to use this?

I can obviously serialize/deserialize my input/output in my workflows and activities, encrypting/decrypting on the way, but the headaches of key management and rotation around that hurt my head a bit.

We do plan to provide a DataConverter implementation that implements encryption. You still will have to deal with key management yourself.

Until then you have to implement your own version of DataConverter as Ryland described in his posts.

I can obviously serialize/deserialize my input/output in my workflows and activities, encrypting/decrypting on the way, but the headaches of key management and rotation around that hurt my head a bit.

DataConverter is the supported way to serialize/deserialize your input/output without polluting your activity and workflow code. You want to manage your own keys. Otherwise you would be trusting a third party with all the secrets.