The refreshkeys should be encrypted in the database right? (i would use bcrypt for that)