Feature: Pass schema for automated bulk encryption/decryption

[calvinbrewer]

Summary

Currently, when using bulkEncrypt and bulkDecrypt, developers have to manually rebuild their data structures by mapping the ciphertexts to the correct model fields. This can be cumbersome and error-prone when encrypting many fields or tables. I would like to propose a feature that allows passing in a schema (e.g., a Drizzle schema or similar) that automatically:

• Parses the data according to which columns are marked as encrypted/protected.
• Performs bulk encryption/decryption for those fields behind the scenes.
• Returns the data reassembled, with encrypted or decrypted values injected in place.

Current Behavior

We must manually build arrays of { plaintext, id } (for bulkEncrypt) or { c, id } (for bulkDecrypt).
Then, once the data is processed, we have to manually loop through the results again to merge them back into the model objects.
For example, if we have several columns in a table marked for encryption (email, phone, etc.), we must handle each column manually.

Desired Behavior

Provide a schema that defines which columns need encryption.
Pass the schema and the raw data (e.g., a list of user objects) into a function like bulkEncryptWithSchema(schema, data) or bulkDecryptWithSchema(schema, data).

The function automatically:

• Extracts the fields that need to be encrypted/decrypted,
• Sends them to bulkEncrypt/bulkDecrypt in batches,
• Reassembles the data with the new ciphertext or plaintext values in the correct columns.

Example
Imagine we have a Drizzle schema (pseudo-code):

import { pgTable, text, varchar } from 'drizzle-orm/pg-core'

export const users = pgTable('users', {
  id: varchar('id').primaryKey(),
  name: text('name'),
  email: text('email').encrypted(),  // hypothetical "encrypted" marker
  phoneNumber: text('phone').encrypted(),
})

With an API like:

// Pseudo-code
await bulkEncryptWithSchema(users, userData)