I’d like to second what @hauleth said.
You should be able to reveal how you encrypt data (minus the key) and that data should still remain effectively safe. That is the overall meaning or expectation behind strong/good encryption (I’m “colloquializing” but for simplicity’s sake).
You don’t want to have an encryption method that’s strength is due to the obfuscation of the method. That would render it effectively weak or not good encryption and would provide a false sense of security for you and the people depending on the encryption.
I’m not sure for your particular use-case what strategy you may want to take, but the enacl library mentioned in my other post is an elixir library that enables you to work with the world class NaCl/libsodium libraries.
So, storing keys separately is typically how it’s done. There are even key management services you can use that are more sophisticated ways of, again, storing keys separately so that if your encrypted data is obtained, it’s not necessarily obtained with the keys to decrypt it.
Cloak is another elixir library that is geared more toward what it sounds like you’re trying to do: encrypted at rest in the db (cloak_ecto too if dealing specifically with ecto).
