Maybe more explanations needed?

[ndrean]

If I encrypt a field, it has a hash version in the db. It seems (?) that the encryption key is an env key (the rotation if I read correctly) so that when you query, you may need to hash the input, query against the hash column and then with this code decrypt the corresponding value at that row. Is this ti? Is this automated in some way? It is not clear for me.

• If I query an (encrypted) field, I want to pass the field as it is in the query, so that the type is in charge of the process above (-> hash, query, decode).
• If I insert a field (to be encrypted). I just want to pass the field, and the type automatically inserts the corresponding hash.

Is this the way it works?

[nelsonic]

Much better explanation coming very soon: https://github.com/dwyl/fields-demo

[ndrean]

So I used Cloak, exactly the way I described, easy. It works "at rest" but does not bring in some refinements you seem to have though. Thats why I came back to you :)