diff --git a/Gemfile b/Gemfile
index ccc2913..cc5430e 100644
--- a/Gemfile
+++ b/Gemfile
@@ -21,9 +21,12 @@ gem 'jbuilder'
 # Reduces boot times through caching; required in config/boot.rb
 gem 'bootsnap', '>= 1.4.2', require: false
 
+gem 'lockbox'
+
+# gem 'airrecord'
 gem 'google-api-client'
 gem 'rack-cors'
-gem "sentry-raven"
+gem 'sentry-raven'
 
 group :development, :test do
   # Call 'byebug' anywhere in the code to stop execution and get a debugger console
diff --git a/Gemfile.lock b/Gemfile.lock
index 01fe03f..2cc091d 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -100,6 +100,7 @@ GEM
     listen (3.2.1)
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
+    lockbox (0.3.4)
     loofah (2.5.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
@@ -224,6 +225,7 @@ DEPENDENCIES
   google-api-client
   jbuilder
   listen
+  lockbox
   pg
   puma
   rack-cors
diff --git a/app/models/authentication.rb b/app/models/authentication.rb
index 4195dc4..58fe264 100644
--- a/app/models/authentication.rb
+++ b/app/models/authentication.rb
@@ -1,6 +1,9 @@
 class Authentication < ApplicationRecord
   belongs_to :user
 
+  encrypts :access_token
+  encrypts :refresh_token
+
   def expired?
     expires_at <= Time.current
   end
diff --git a/db/migrate/20200408212150_add_lockbox_columns.rb b/db/migrate/20200408212150_add_lockbox_columns.rb
new file mode 100644
index 0000000..05d0e49
--- /dev/null
+++ b/db/migrate/20200408212150_add_lockbox_columns.rb
@@ -0,0 +1,8 @@
+class AddLockboxColumns < ActiveRecord::Migration[6.0]
+  def change
+    add_column :authentications, :access_token_ciphertext, :text
+    add_column :authentications, :refresh_token_ciphertext, :text
+    remove_column :authentications, :access_token
+    remove_column :authentications, :refresh_token
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index b1176f2..359fb4f 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 2020_04_05_161905) do
+ActiveRecord::Schema.define(version: 2020_04_08_212150) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
diff --git a/env.example b/env.example
index 3ace5a2..70b5e82 100644
--- a/env.example
+++ b/env.example
@@ -1,3 +1,4 @@
 GOOGLE_CLIENT_ID=clientid
 GOOGLE_CLIENT_SECRET=secret
 GOOGLE_PROJECT_ID=projectid
+LOCKBOX_MASTER_KEY=f7b18b63d3f7ec48fa78bab327cdf81b0969020f70dc16947b14572cde3e2b7d