AWS Lambda Durable Functions simplify long-running serverless workflows but checkpoint sensitive data by default. While AWS encrypts this data at rest, organizations with strict compliance requirements need more control over encryption keys and data visibility.

Developers can implement custom SerDes (serialization/deserialization) logic to encrypt checkpoint payloads before storage. This approach supports both full payload encryption and field-level encryption, where only sensitive fields like SSN or credit card numbers are encrypted while preserving operational visibility.

The trade-off becomes clear in production debugging. Full encryption obscures all data in Lambda console logs, requiring manual decryption for troubleshooting. Field-level encryption maintains workflow structure while protecting PII, offering a balanced approach for teams managing HIPAA or PCI-DSS compliance requirements.

Lambda's durable execution SDK enables these security patterns today, though AWS does not yet support customer-managed KMS keys natively. Community-driven RFCs aim to standardize these utilities in AWS Powertools for broader adoption.