@growy/strapi-plugin-encrypted-field 2.3.2 → 2.4.0

package/CHANGELOG.md

@@ -0,0 +1,96 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+## [2.4.0] - 2026-02-26
+
+### Added
+- Key rotation script (`scripts/rotate-key.js`) for re-encrypting data when changing the encryption key.
+- CHANGELOG.md with full version history.
+- Documented `uniqueField` limitation in README (unique constraints don't work on encrypted fields due to random IV).
+
+### Changed
+- All server-side error messages and logs translated to English for global developer audience.
+- `description` fields in `package.json` translated to English.
+- `repository.url` fixed via `npm pkg fix` (normalized to `git+https://` format).
+
+### Fixed
+- `strapi.config.get()` path updated from deprecated `plugin.encrypted-field` to Strapi v5 convention `plugin::encrypted-field`.
+
+## [2.3.3] - 2026-02-26
+
+### Changed
+- README rewritten in English for global npm community adoption.
+- Removed unused `admin/src/pages/` directory.
+
+## [2.3.2] - 2026-02-26
+
+### Changed
+- Restored detailed technical documentation in README (API examples, key management warnings, regex validation guide).
+
+## [2.3.1] - 2026-02-26
+
+### Changed
+- README converted to bilingual format (EN/ES).
+- Removed unused server directories (`content-types`, `controllers`, `routes`, `services`).
+- Added `.npmignore` for cleaner npm package.
+
+## [2.3.0] - 2026-02-26
+
+### Added
+- Multi-language support (i18n): English and Spanish translations for admin UI.
+- Encryption key caching in memory for improved performance.
+- `inputSize` configuration for resizable inputs in Content-Type Builder.
+- Plugin `config` block with `default` and `validator` (Strapi v5 standard).
+- `@strapi/design-system` and `react` as `peerDependencies`.
+
+### Changed
+- Refactored lifecycle hooks (`bootstrap.js`): extracted shared `processEncryption` and `processDecryption` functions to eliminate code duplication.
+- Simplified `registerTrads` to native Strapi v5 async/await pattern.
+
+### Fixed
+- Decrypt middleware now resolves the root entity `modelUid` from the API request path, fixing a bug where top-level encrypted fields were not decrypted in API responses.
+
+## [2.2.1] - 2025-10-14
+
+### Added
+- Visibility toggle (show/hide) and copy-to-clipboard controls with confirmation notifications in admin UI.
+
+### Changed
+- Updated README with improved documentation and package metadata.
+
+## [2.0.4] - 2025-10-13
+
+### Removed
+- Placeholder field option removed after multiple iterations.
+
+## [2.0.3] - 2025-10-13
+
+### Fixed
+- Set predefined placeholder and removed customization option.
+
+## [2.0.1] - 2025-10-13
+
+### Added
+- Nested component support for encryption/decryption at any depth.
+- Decrypt middleware for API responses.
+- Regex and length validation before encryption.
+
+### Changed
+- Simplified encrypted field UI.
+- Improved props handling in Input component.
+- Field type changed to `string`.
+- Removed unnecessary code comments.
+
+## [1.0.1] - 2025-10-13
+
+### Added
+- Package exports configuration for Strapi v5.
+
+## [1.0.0] - 2025-10-13
+
+### Added
+- Initial release.
+- Custom field "Encrypted Text" for Content-Type Builder.
+- AES-256-GCM encryption/decryption.
+- Basic admin panel input component.

package/README.md

@@ -6,28 +6,22 @@
   <img src="https://img.shields.io/badge/Strapi-v5-blueviolet" alt="Strapi v5" />
 </div>
 
----
-
-### [English](#english-version) | [Español](#versión-en-español)
-
----
-
-## English Version
-
-Official **Growy AI** plugin for Strapi that provide a custom encrypted text field using AES-256-GCM. Protect sensitive information directly in your database with transparent encryption and robust validation.
-
-### Features
-
-- ✅ **Custom Field** "Encrypted Text" in the Content-Type Builder.
-- ✅ **Automatic Encryption** AES-256-GCM when saving.
-- ✅ **Transparent Decryption** when reading (Admin panel and API).
-- ✅ **Backend Validation** with regex support and length constraints.
-- ✅ **Native Strapi v5 UI** with visibility controls, redimensionable inputs and copy to clipboard.
-- ✅ **Multi-language support (i18n)**: English and Spanish.
-- ✅ **Encrypted Data** in database with unique IV and Auth Tag.
-- ✅ **Nested Components support** at any depth.
-
-### Installation
+Official **Growy AI** plugin for Strapi that provides a custom encrypted text field using AES-256-GCM. Protect sensitive information directly in your database with transparent encryption and robust validation.
+
+- ✅ **Custom field** "Encrypted Text" in the Content-Type Builder
+- ✅ **Automatic encryption** AES-256-GCM on save
+- ✅ **Transparent decryption** on read (admin panel and API)
+- ✅ **Backend validation** with regex and length constraint support
+- ✅ **Native Strapi v5 UI** with visibility controls, resizable inputs and copy to clipboard
+- ✅ **Values hidden** by default with show/hide toggle
+- ✅ **Copy notifications** confirmation when copying values
+- ✅ **Multi-language support (i18n)**: English and Spanish
+- ✅ **Robust key management** with validation and clear error messages
+- ✅ **Encrypted data** in database with unique IV and Auth Tag per operation
+- ✅ **Reusable** in any collection or component
+- ✅ **Full support** for nested components and complex structures
+
+## Installation
 
 ```bash
 npm install @growy/strapi-plugin-encrypted-field
@@ -35,10 +29,12 @@ npm install @growy/strapi-plugin-encrypted-field
 yarn add @growy/strapi-plugin-encrypted-field
 ```
 
-### Configuration
+## Configuration
+
+### 1. Enable the plugin
+
+Create or edit `config/plugins.js` or `config/plugins.ts`:
 
-#### 1. Enable the plugin
-Edit `config/plugins.js` or `config/plugins.ts`:
 ```javascript
 module.exports = {
   'encrypted-field': {
@@ -47,140 +43,211 @@ module.exports = {
 };
 ```
 
-#### 2. Configure Encryption Key (REQUIRED)
+### 2. Configure the encryption key (REQUIRED)
+
+#### Option A: Environment variable (recommended)
+
 Add to your `.env`:
+
 ```bash
 ENCRYPTION_KEY=your_64_character_hex_key_here
 ```
 
-**Generate a secure key:**
+#### Option B: Configuration file
+
+Edit `config/plugins.js`:
+
+```javascript
+module.exports = ({ env }) => ({
+  'encrypted-field': {
+    enabled: true,
+    config: {
+      encryptionKey: env('ENCRYPTION_KEY'),
+    },
+  },
+});
+```
+
+#### Generate a secure key
+
 ```bash
 node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
 ```
 
+This will generate a 64-character hexadecimal key (32 bytes).
+
 ⚠️ **CRITICAL - Key Management**:
-- **Store the key safely** (Secrets manager, encrypted env vars).
-- **Never** include it in version control.
-- **If you lose the key**, you will NOT be able to decrypt existing data.
-- **Use the same key** across all environments sharing the same database.
+- **Store the key securely** (secrets manager, encrypted environment variables)
+- **Never** include it in version control
+- **If you lose the key**, you will not be able to decrypt existing data
+- **Use the same key** across all environments sharing the same database
+- **For production**, consider services like AWS Secrets Manager, HashiCorp Vault or similar
 
-### Usage & Validation
+### 3. Rebuild the admin
+
+```bash
+npm run build
+npm run develop
+```
+
+## Requirements
+
+- **Strapi**: v5.0.0 or higher
+- **Node.js**: 18.x - 22.x
+- **npm**: 6.0.0 or higher
+
+## Data Validation
 
-#### Data Validation
 The plugin supports validation before encryption:
-1. In Content-Type Builder, select the encrypted field.
-2. Go to **"Advanced Settings"**.
-3. In **"RegEx pattern"**, enter your regular expression.
-**Example**: To validate an API key format: `^sk-[a-zA-Z0-9]{32}$`.
 
-#### API Usage
-The API returns decrypted values automatically for authorized requests.
+### Configure regex validation
+
+1. In Content-Type Builder, select the encrypted field
+2. Go to the **"Advanced Settings"** tab
+3. In **"RegEx pattern"**, enter your regular expression
+4. Save the changes
+
+**Example**: To validate API key format:
+```regex
+^sk-[a-zA-Z0-9]{32}$
+```
+
+If the value does not match the pattern, an error will be thrown before encryption.
+
+## Usage
+
+### 1. Add an encrypted field to a collection
+
+1. Go to **Content-Type Builder**
+2. Select a collection or create a new one
+3. Click **"Add another field"**
+4. Search for **"Encrypted Text"** (with 🔒 icon)
+5. Set the field name
+6. Save and restart Strapi
+
+### 2. Using the field
+
+The field works like a regular text field with additional security features:
+
+- **In the panel**: Type text normally
+- **Hidden values**: Values are shown as `***` by default
+- **Eye button**: Toggles between show/hide the value
+- **Copy button**: Copies the value to clipboard with a confirmation notification
+- **On save**: Automatically encrypted
+- **On read**: Automatically decrypted
+- **In the DB**: Stored encrypted with format `iv:authTag:encrypted`
+- **In components**: Works the same in nested components at any depth
+
+### 3. API Usage
+
 ```bash
-# Create an entry
+# Create with an encrypted field
 curl -X POST http://localhost:1337/api/users \
   -H "Content-Type: application/json" \
-  -d '{"data": {"apiKey": "my-secret-token"}}'
+  -d '{
+    "data": {
+      "name": "John",
+      "apiKey": "my-secret-key-123"
+    }
+  }'
 
 # Read (returns decrypted)
 curl -X GET http://localhost:1337/api/users/1
-# Response: { "data": { "apiKey": "my-secret-token" } }
+# Response: { "name": "John", "apiKey": "my-secret-key-123" }
 ```
 
----
+## Usage Example
 
-## Versión en Español
+### "User" collection with an encrypted API Key
 
-Plugin oficial de **Growy AI** para Strapi que proporciona un campo personalizado de texto cifrado con AES-256-GCM. Protege información sensible directamente en tu base de datos con cifrado transparente y validación robusta.
+**Schema:**
+```json
+{
+  "name": "string",
+  "email": "email",
+  "apiKey": "plugin::encrypted-field.encrypted-text"
+}
+```
 
-### Características
+**In the DB:**
+```
+apiKey: "a1b2c3d4e5f6....:f9e8d7c6b5a4....:9f8e7d6c5b4a3..."
+```
 
-- ✅ **Campo personalizado** "Texto Cifrado" en el Content-Type Builder.
-- ✅ **Cifrado automático** AES-256-GCM al guardar.
-- ✅ **Descifrado transparente** al leer (panel y API).
-- ✅ **Validación backend** con soporte para regex y restricciones.
-- ✅ **UI Nativa Strapi v5** con controles de visibilidad, inputs redimensionables y copiar al portapapeles.
-- ✅ **Soporte multi-idioma (i18n)**: Inglés y Español.
-- ✅ **Datos cifrados** en base de datos con IV único y Auth Tag.
-- ✅ **Soporte para componentes anidados** a cualquier profundidad.
+**In the panel and API:**
+```
+apiKey: "sk-1234567890abcdef"
+```
 
-### Instalación
+## Security & Architecture
 
-```bash
-npm install @growy/strapi-plugin-encrypted-field
-# o
-yarn add @growy/strapi-plugin-encrypted-field
-```
+### Technical Specifications
 
-### Configuración
+- **Algorithm**: AES-256-GCM (NIST standard, military grade)
+- **Key size**: 256 bits (32 bytes, 64 hex characters)
+- **IV (Initialization Vector)**: 96 bits (12 bytes) randomly generated per operation
+- **Auth Tag**: 128 bits (16 bytes) for integrity verification
+- **Stored format**: `iv:authTag:encryptedData` (all in hexadecimal)
+- **Key caching**: Encryption key is parsed and cached in memory for optimal performance
 
-#### 1. Habilitar el plugin
-Edita `config/plugins.js`:
-```javascript
-module.exports = {
-  'encrypted-field': {
-    enabled: true,
-  },
-};
-```
+### Security Features
 
-#### 2. Configurar la clave (REQUERIDO)
-Agrega a tu `.env`:
-```bash
-ENCRYPTION_KEY=tu_clave_de_64_caracteres_hexadecimales_aqui
-```
+- ✅ **Authenticated encryption**: GCM provides both confidentiality and integrity
+- ✅ **Unique IV**: Every encryption operation generates a random IV
+- ✅ **Tamper resistance**: Auth Tag detects any modification
+- ✅ **Input validation**: Regex and custom constraints supported
+- ✅ **Safe error handling**: Controlled logs without exposing sensitive data
+- ✅ **Double-layer decryption**: Lifecycle hooks (internal) + middleware (API responses)
 
-⚠️ **CRÍTICO - Gestión de claves**:
-- **Guarda la clave de forma segura** (gestor de secretos, variables de entorno cifradas).
-- **Nunca** la incluyas en el control de versiones.
-- **Si pierdes la clave**, NO podrás descifrar los datos existentes.
+### Best Practices
 
-### Uso y Validación
+1. **Key rotation**: Use the included rotation script (see below)
+2. **Environment separation**: Use different keys per dev/staging/prod
+3. **Auditing**: Monitor encryption/decryption error logs
+4. **Key backup**: Keep secure copies of keys in multiple locations
+5. **Private fields**: Mark sensitive fields as "private" to exclude them from the public API
 
-#### Validación de datos
-El plugin soporta validación antes del cifrado:
-1. En el Content-Type Builder, selecciona el campo cifrado.
-2. Ve a la pestaña **"Advanced Settings"**.
-3. En **"RegEx pattern"**, ingresa tu expresión regular.
-**Ejemplo**: Para validar formato de API key: `^sk-[a-zA-Z0-9]{32}$`.
+### Key Rotation
 
-#### Uso por API
-La API devuelve los valores descifrados automáticamente.
-```bash
-# Crear con campo cifrado
-curl -X POST http://localhost:1337/api/usuarios \
-  -H "Content-Type: application/json" \
-  -d '{"data": {"apiKey": "mi-clave-secreta-123"}}'
+If you need to change your encryption key, use the included rotation script to re-encrypt existing data:
 
-# Leer (devuelve descifrado)
-curl -X GET http://localhost:1337/api/usuarios/1
-# Response: { "apiKey": "mi-clave-secreta-123" }
+```bash
+node scripts/rotate-key.js --old=<CURRENT_64_CHAR_KEY> --new=<NEW_64_CHAR_KEY>
 ```
 
-### Especificaciones Técnicas
+The script reads encrypted values from stdin, decrypts with the old key, and re-encrypts with the new key. See the script output for database-specific integration examples (PostgreSQL, etc.).
 
-- **Algoritmo**: AES-256-GCM (Grado militar).
-- **IV (Initialization Vector)**: 96 bits generado aleatoriamente por operación.
-- **Integridad**: Auth Tag de 128 bits para detectar manipulaciones.
-- **Formato almacenado**: `iv:authTag:encryptedData`.
+## Use Cases
 
-### Limitaciones Conocidas
+- 🔑 Third-party API Keys
+- 🔐 Access tokens
+- 🔒 Webhook secrets
+- 💳 Sensitive information
+- 📧 SMTP credentials
+- 🔑 Application passwords
 
-- ❌ **Búsqueda**: No se puede buscar por campos cifrados debido al cifrado en BD.
-- ❌ **Ordenamiento**: No se puede ordenar por campos cifrados.
-- ❌ **Filtros**: No se pueden aplicar filtros directos en la consulta a la BD.
+## Known Limitations
 
----
+- ❌ **Search**: Cannot search by encrypted fields (data is encrypted in DB)
+- ❌ **Sorting**: Cannot sort by encrypted fields
+- ❌ **Filters**: Cannot apply direct filters on encrypted fields
+- ❌ **Unique constraint**: Strapi's unique validation will not work correctly on encrypted fields because each encryption produces a different ciphertext (random IV)
+- ⚠️ **Performance**: Encryption/decryption adds minimal overhead (~1-2ms per operation)
+- ⚠️ **Key synchronization**: All environments sharing the same DB must use the same key
+
+## License
 
-## License / Licencia
 MIT © 2025 Growy AI
 
-## Credits / Créditos
-**Growy AI** - Soluciones de IA y automatización empresarial
-**Main Author / Autor principal**: Zahir El isaac
+## Developed by
+
+**Growy AI** - AI and business automation solutions
+
+**Main author**: Zahir El isaac
 
 ---
 
 <div align="center">
-  <p>If this plugin is useful to you, consider giving it a ⭐ on GitHub / Si este plugin te resulta útil, considera darle una ⭐ en GitHub</p>
-  <p>Made with ❤️ by Growy AI Team</p>
+  <p>If this plugin is useful to you, consider giving it a ⭐ on GitHub</p>
+  <p>Made with ❤️ by the Growy AI team</p>
 </div>

package/package.json

@@ -1,11 +1,11 @@
 {
   "name": "@growy/strapi-plugin-encrypted-field",
-  "version": "2.3.2",
-  "description": "Campo personalizado de texto cifrado para Strapi",
+  "version": "2.4.0",
+  "description": "Custom encrypted text field plugin for Strapi using AES-256-GCM",
   "strapi": {
     "name": "encrypted-field",
     "displayName": "Encrypted Field",
-    "description": "Agrega un campo de texto cifrado con AES-256-GCM",
+    "description": "Adds an AES-256-GCM encrypted text field",
     "kind": "plugin"
   },
   "dependencies": {},
@@ -27,7 +27,7 @@
   },
   "repository": {
     "type": "git",
-    "url": "https://github.com/ZahirElIsaac/strapi-campo-encriptado.git"
+    "url": "git+https://github.com/ZahirElIsaac/strapi-campo-encriptado.git"
   },
   "contributors": [
     {

package/scripts/rotate-key.js

@@ -0,0 +1,117 @@
+#!/usr/bin/env node
+
+const crypto = require('crypto');
+const readline = require('readline');
+
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 12;
+const AUTH_TAG_LENGTH = 16;
+
+function parseKey(hexKey) {
+    if (!hexKey || typeof hexKey !== 'string' || hexKey.length !== 64) {
+        throw new Error(`Key must be exactly 64 hexadecimal characters. Got: ${hexKey?.length || 0}`);
+    }
+    if (!/^[0-9a-fA-F]{64}$/.test(hexKey)) {
+        throw new Error('Key must contain only hexadecimal characters (0-9, a-f, A-F)');
+    }
+    return Buffer.from(hexKey, 'hex');
+}
+
+function decryptWithKey(encryptedText, keyBuffer) {
+    const parts = encryptedText.split(':');
+    if (parts.length !== 3) return null;
+
+    const [ivHex, authTagHex, encrypted] = parts;
+    if (ivHex.length !== IV_LENGTH * 2 || authTagHex.length !== AUTH_TAG_LENGTH * 2) return null;
+
+    const iv = Buffer.from(ivHex, 'hex');
+    const authTag = Buffer.from(authTagHex, 'hex');
+    const decipher = crypto.createDecipheriv(ALGORITHM, keyBuffer, iv);
+    decipher.setAuthTag(authTag);
+
+    let decrypted = decipher.update(encrypted, 'hex', 'utf8');
+    decrypted += decipher.final('utf8');
+    return decrypted;
+}
+
+function encryptWithKey(text, keyBuffer) {
+    const iv = crypto.randomBytes(IV_LENGTH);
+    const cipher = crypto.createCipheriv(ALGORITHM, keyBuffer, iv);
+
+    let encrypted = cipher.update(text, 'utf8', 'hex');
+    encrypted += cipher.final('hex');
+    const authTag = cipher.getAuthTag();
+
+    return `${iv.toString('hex')}:${authTag.toString('hex')}:${encrypted}`;
+}
+
+async function main() {
+    const args = process.argv.slice(2);
+    const oldKeyArg = args.find((a) => a.startsWith('--old='));
+    const newKeyArg = args.find((a) => a.startsWith('--new='));
+
+    if (!oldKeyArg || !newKeyArg) {
+        console.error('Usage: node scripts/rotate-key.js --old=<OLD_KEY> --new=<NEW_KEY>');
+        console.error('Keys must be 64-character hexadecimal strings.');
+        console.error('\nGenerate a new key with:');
+        console.error('  node -e "console.log(require(\'crypto\').randomBytes(32).toString(\'hex\'))"');
+        process.exit(1);
+    }
+
+    const oldKey = oldKeyArg.split('=')[1];
+    const newKey = newKeyArg.split('=')[1];
+
+    let oldKeyBuffer, newKeyBuffer;
+    try {
+        oldKeyBuffer = parseKey(oldKey);
+        newKeyBuffer = parseKey(newKey);
+    } catch (error) {
+        console.error(`Key validation error: ${error.message}`);
+        process.exit(1);
+    }
+
+    if (oldKey === newKey) {
+        console.error('Old and new keys are identical. Aborting.');
+        process.exit(1);
+    }
+
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    const question = (q) => new Promise((resolve) => rl.question(q, resolve));
+
+    console.log('\n🔑 Encrypted Field - Key Rotation Tool');
+    console.log('━'.repeat(45));
+    console.log('\nThis script reads encrypted values from stdin (one per line),');
+    console.log('decrypts them with the OLD key, and re-encrypts with the NEW key.');
+    console.log('\nTo use with a database, export the encrypted column values,');
+    console.log('pipe them through this script, and update the database.\n');
+    console.log('Example with PostgreSQL:');
+    console.log('  psql -t -A -c "SELECT id, api_key FROM users WHERE api_key IS NOT NULL" |\\');
+    console.log('  while IFS="|" read id val; do');
+    console.log('    newval=$(echo "$val" | node scripts/rotate-key.js --old=X --new=Y)');
+    console.log('    psql -c "UPDATE users SET api_key=\'$newval\' WHERE id=$id"');
+    console.log('  done\n');
+    console.log('Paste encrypted values (one per line). Press Ctrl+D when done:\n');
+
+    rl.on('line', (line) => {
+        const trimmed = line.trim();
+        if (!trimmed) return;
+
+        try {
+            const decrypted = decryptWithKey(trimmed, oldKeyBuffer);
+            if (decrypted === null) {
+                console.error(`SKIP (not encrypted format): ${trimmed.substring(0, 30)}...`);
+                return;
+            }
+            const reEncrypted = encryptWithKey(decrypted, newKeyBuffer);
+            console.log(reEncrypted);
+        } catch (error) {
+            console.error(`ERROR: ${error.message} | Input: ${trimmed.substring(0, 30)}...`);
+        }
+    });
+
+    rl.on('close', () => {
+        console.error('\n✅ Key rotation complete.');
+    });
+}
+
+main();

package/server/bootstrap.js

@@ -17,7 +17,7 @@ function processEncryption(event, strapi) {
 
     const validation = validateValue(value, attribute);
     if (!validation.valid) {
-      throw new Error(`Validación fallida para el campo "${key}": ${validation.error}`);
+      throw new Error(`Validation failed for field "${key}": ${validation.error}`);
     }
 
     data[key] = encrypt(value, strapi);

package/server/middlewares/decrypt.js

@@ -50,7 +50,7 @@ module.exports = (config, { strapi }) => {
             try {
               obj[key] = decrypt(obj[key], strapi);
             } catch (error) {
-              strapi.log.error(`Error descifrando campo ${key}: ${error.message}`);
+              strapi.log.error(`Decryption error on field ${key}: ${error.message}`);
             }
           }
         }

package/server/utils/crypto.js

@@ -9,10 +9,10 @@ let _cachedKey = null;
 let _cachedKeySource = null;
 
 function getEncryptionKey(strapi) {
-  const key = process.env.ENCRYPTION_KEY || strapi?.config?.get('plugin.encrypted-field.encryptionKey');
+  const key = process.env.ENCRYPTION_KEY || strapi?.config?.get('plugin::encrypted-field.encryptionKey');
 
   if (!key) {
-    const errorMsg = '⚠️  ENCRYPTION_KEY no configurada. Debe establecer una clave de 64 caracteres hexadecimales en las variables de entorno o configuración de Strapi.';
+    const errorMsg = '⚠️  ENCRYPTION_KEY not configured. You must set a 64-character hexadecimal key in environment variables or Strapi configuration.';
     if (strapi?.log?.error) {
       strapi.log.error(errorMsg);
     }
@@ -24,11 +24,11 @@ function getEncryptionKey(strapi) {
   }
 
   if (typeof key !== 'string' || key.length !== 64) {
-    throw new Error(`ENCRYPTION_KEY debe tener exactamente 64 caracteres hexadecimales (32 bytes). Actual: ${key?.length || 0}`);
+    throw new Error(`ENCRYPTION_KEY must be exactly 64 hexadecimal characters (32 bytes). Current: ${key?.length || 0}`);
   }
 
   if (!/^[0-9a-fA-F]{64}$/.test(key)) {
-    throw new Error('ENCRYPTION_KEY debe contener solo caracteres hexadecimales (0-9, a-f, A-F)');
+    throw new Error('ENCRYPTION_KEY must contain only hexadecimal characters (0-9, a-f, A-F)');
   }
 
   _cachedKey = Buffer.from(key, 'hex');
@@ -54,7 +54,7 @@ function encrypt(text, strapi) {
     return `${iv.toString('hex')}:${authTag.toString('hex')}:${encrypted}`;
   } catch (error) {
     if (strapi?.log?.error) {
-      strapi.log.error(`Error al cifrar: ${error.message}`);
+      strapi.log.error(`Encryption error: ${error.message}`);
     }
     throw error;
   }
@@ -88,7 +88,7 @@ function decrypt(encryptedText, strapi) {
     return decrypted;
   } catch (error) {
     if (strapi?.log?.debug) {
-      strapi.log.debug(`Error al descifrar: ${error.message}. Retornando texto original.`);
+      strapi.log.debug(`Decryption error: ${error.message}. Returning original text.`);
     }
     return encryptedText;
   }
@@ -102,7 +102,7 @@ function validateValue(value, attribute) {
   if (typeof value !== 'string') {
     return {
       valid: false,
-      error: 'El valor debe ser una cadena de texto'
+      error: 'Value must be a string'
     };
   }
 
@@ -112,13 +112,13 @@ function validateValue(value, attribute) {
       if (!regex.test(value)) {
         return {
           valid: false,
-          error: `El valor no cumple con el patrón de validación: ${attribute.regex}`
+          error: `Value does not match the validation pattern: ${attribute.regex}`
         };
       }
     } catch (error) {
       return {
         valid: false,
-        error: `Patrón regex inválido: ${error.message}`
+        error: `Invalid regex pattern: ${error.message}`
       };
     }
   }
@@ -126,14 +126,14 @@ function validateValue(value, attribute) {
   if (attribute.maxLength && value.length > attribute.maxLength) {
     return {
       valid: false,
-      error: `El valor excede la longitud máxima de ${attribute.maxLength} caracteres`
+      error: `Value exceeds maximum length of ${attribute.maxLength} characters`
     };
   }
 
   if (attribute.minLength && value.length < attribute.minLength) {
     return {
       valid: false,
-      error: `El valor debe tener al menos ${attribute.minLength} caracteres`
+      error: `Value must be at least ${attribute.minLength} characters`
     };
   }