CQRS + ES + GDPR =

{
    "class": "SensitiveUser\\User\\Domain\\Event\\UserRegistered",
    "payload": {
        "id": "b0fce205-d816-46ac-886f-06de19236750",
        "name": "Matteo",
        "surname": "Galacci",
        "email": "m.galacci@gmail.com"
        "occurred_at": "2022-01-08T14:22:38.065+00:00",
    }
}

class BroadwayUsers extends EventSourcingRepository implements Users
{
    public function add(User $user): void
    {
        parent::save($user);
    }
}

class User extends EventSourcedAggregateRoot
{
    public static function crea(
            UserId $userId, 
            string $name, 
            string $surname, 
            Email $email, 
            DateTimeImmutable $regDate
    ): self
    {
        $user = new self();

        $user->apply(new UserCreated($userId, $name, $surname, $email, $regDate));

        return $user;
    }
}

$user = User::create($userId, $name, $surname, $email, $registrationDate);

$users->add($user);

private function insertMessage(Connection $connection, DomainMessage $domainMessage): void
{
    $data = [
        'uuid' => $this->convertIdentifierToStorageValue((string) $domainMessage->getId()),
        'playhead' => $domainMessage->getPlayhead(),
        'metadata' => json_encode(
        	$this->metadataSerializer->serialize($domainMessage->getMetadata())
        ),
        'payload' => json_encode( 
        	$this->payloadSerializer->serialize($domainMessage->getPayload()) // <<===
        ),
        'recorded_on' => $domainMessage->getRecordedOn()->toString(),
        'type' => $domainMessage->getType(),
    ];

    $connection->insert($this->tableName, $data);
}

{
    "class": "SensitiveUser\\User\\Domain\\Event\\UserRegistered",
    "payload": {
        "id": "446effc9-4f5c-4369-8e89-91cb5c8509b9",
        "name": "Matteo",
        "surname": "Galacci",
        "email": "m.galacci@gmail.com",
        "occurred_at": "2022-01-08T14:22:38.065+00:00"
    }
}

{
    "class": "SensitiveUser\\User\\Domain\\Event\\UserRegistered",
    "payload": {
      	"id": "96607c7a-f4cd-4dd7-a406-9cde00913f79",
        "name": "Dario",
        "surname": "#-#SXZXQsvLTCVX8Kel0yaoHg==:iEMqT4YFE7OQzKdClNaDUg==",
      	"email": "#-#jTYqDtzJ8HHabEnJMMtuaiwiFcmCkZzel5985nSf\/Ig=:iEMqT4YFE7OQzKdClNaDUg==",
      	"occurred_at": "2022-01-14T15:04:58.323+00:00"
    }
}

services:
  broadway_sensitive_serializer.aggregate_keys.dbal:
    class: Matiux\Broadway\SensitiveSerializer\Dbal\DBALAggregateKeys
    arguments:
      $connection: "@doctrine.dbal.default_connection"
      $tableName: "aggregate_keys"
      $useBinary: false
      $binaryUuidConverter: "@broadway.uuid.converter"

broadway:
    # a service definition id implementing Broadway\EventStore\EventStore
    event_store: broadway.event_store.dbal

    # a service definition id implementing Broadway\ReadModel\RepositoryFactory
    read_model: broadway.read_model.in_memory.repository_factory

    # service definition ids implementing Broadway\Serializer\Serializer
    serializer:
        #payload: broadway.simple_interface_serializer
        payload: broadway_sensitive_serializer.serializer
        readmodel: broadway.simple_interface_serializer
        metadata:  broadway.simple_interface_serializer

broadway_sensitive_serializer:
  #Master key to encrypt the keys of aggregates.
  #Get it from an external service or environment variable
  aggregate_master_key: 'm4$t3rS3kr3tk31'
  #For now is the only one generator implemented. 256-bit encryption key
  key_generator: open-ssl
  #To use the DBAL  implementation, install matiux/broadway-sensitive-serializer-dbal
  aggregate_keys: broadway_sensitive_serializer.aggregate_keys.dbal
  #Default implementation, of little use outside of testing
  #aggregate_keys: broadway_sensitive_serializer.aggregate_keys.in_memory
  data_manager:
    name: AES256 #For now, it is the only encryption strategy implemented
    #Encryption key to sensitize data. If null you will need to pass the key at runtime.
    #This is the convenient way
    key: null
    #Initialization vector. If null it will be generated internally and iv_encoding must
    #be set to true. This is the convenient way
    iv: null 
    #Encrypt the iv and is appends to encrypted value. It makes sense to set it to true if
    #the iv option is set to null. This is the convenient way
    iv_encoding: true
  strategy:
    name: whole
    #Enable AggregateKey model auto creation. This is the convenient way
    aggregate_key_auto_creation: true
    excluded_id_key: id # The key of the aggregate id which should not be encrypted
    excluded_keys: # List of keys to be excluded from encryption
      - occurred_at
    events: # List of events supported by the strategy
      - SensitiveUser\User\Domain\Event\AddressAdded
      - SensitiveUser\User\Domain\Event\UserRegistered

broadway_sensitive_serializer:
  aggregate_master_key: 'm4$t3rS3kr3tk31'
  key_generator: open-ssl
  aggregate_keys: broadway_sensitive_serializer.aggregate_keys.dbal
  data_manager:
    name: AES256
    key: null
    iv: null 
    iv_encoding: true
  strategy:
    name: partial
    aggregate_key_auto_creation: true
    events: # List of events supported by the strategy
      - SensitiveUser\User\Domain\Event\AddressAdded:
        - address # List of keys to sensitize
      - SensitiveUser\User\Domain\Event\UserRegistered:
        - name
        - surname

broadway_sensitive_serializer:
  aggregate_master_key: 'm4$t3rS3kr3tk31'
  key_generator: open-ssl
  aggregate_keys: broadway_sensitive_serializer.aggregate_keys.dbal
  data_manager:
    name: AES256
    key: null
    iv: null 
    iv_encoding: true
  strategy:
    name: custom
    aggregate_key_auto_creation: true

services:
  _defaults:
    autowire: true
    autoconfigure: true
    public: false

  SensitiveUser\User\Domain\EventSensitizer\UserRegisteredSensitizer:
    parent: Matiux\Broadway\SensitiveSerializer\Serializer\Strategy\PayloadSensitizer
    tags:
      - { name: broadway.sensitive_serializer.custom }