Cyphera Data Protection SDKs

How it works

Cyphera SDKs produce DPH-formatted output — each protected value carries a short prefix (Data Protection Header, DPH) that identifies the engine and configuration used to protect it. This means Access() works without needing to specify the field name. The SDK reads the header, routes to the correct engine, and decrypts automatically.

Under the hood, the engines include format-preserving encryption (NIST SP 800-38G FF1 and FF3-1), AES-GCM, data masking, and hashing. FPE keeps original data formats intact — SSNs stay 9 digits, card numbers stay 16. All FPE implementations are tested against the full NIST test vector suite. For use cases that require strict, headerless FPE output, the engines can be used directly.

Protection is configured per field in a JSON configuration file. One API call to protect, one to access.

Traditional encryption

123-45-6789  →  dGhpcyBpcyBhIGJhc2U2NCBib2IgdGhhdCBicmVha3MgZXZlcnl0aGluZw==

Breaks your schema. 3x wider. Requires column type changes.

Cyphera (DPH-formatted output)

123-45-6789  →  T01i6J-xF-07pX

DPH-formatted, format-preserving, self-describing. Access() needs no field name.

Engines

ff1     Reversible    NIST SP 800-38G FF1 format-preserving encryption
ff3     Reversible    NIST SP 800-38G Rev 1 FF3-1 format-preserving encryption
aes     Reversible    AES-256-GCM authenticated encryption
mask    One-way       Pattern masking (last4, first1, full, custom)
hash    One-way       SHA-256/384/512, HMAC when key provided

Quick start

go get github.com/cyphera-labs/cyphera-go

import "github.com/cyphera-labs/cyphera-go"

// Auto-discover cyphera.json
c, err := cyphera.Load()

// Protect — DPH-formatted, dashes preserved
encrypted, err := c.Protect("123-45-6789", "ssn")
// → "T01i6J-xF-07pX"

// Access — header-based, no configuration name needed
decrypted, err := c.Access(encrypted)
// → "123-45-6789"

Configuration

Protection is configured per field in cyphera.json. Each entry specifies an engine, key reference, and optional header prefix for self-describing ciphertext.

{
  "configurations": {
    "ssn":  { "engine": "ff1", "key_ref": "main", "header": "T01" },
    "cc":   { "engine": "ff1", "key_ref": "main", "header": "T02" },
    "name": { "engine": "mask", "pattern": "first1" }
  },
  "keys": {
    "main": { "provider": "env", "env_var": "CYPHERA_KEY" }
  }
}

Language SDKs

Nine SDKs with identical behavior. Protect in Go, access in Python — same configuration, same output.

• Java — cyphera-java
• Go — cyphera-go
• Python — cyphera-python
• Rust — cyphera-rust
• Node.js — cyphera-node
• .NET — cyphera-dotnet
• PHP — cyphera-php
• Ruby — cyphera-ruby
• Swift — cyphera-swift

Platform integrations

Native integrations for databases, ORMs, and streaming platforms. One configuration, every platform.

• Hibernate — Transparent field-level FPE via annotation
• Spring Boot — Auto-configured starter
• Kafka Connect — Single Message Transform for real-time pipelines
• Trino — SQL UDF plugin
• PostgreSQL — Native Rust extension via pgrx
• Snowflake — Java UDF
• Databricks — Spark UDF
• BigQuery — Remote UDF via Cloud Run
• Informatica — Java transformation for PowerCenter / IDMC
• Apache NiFi — Processor for data flows
• Apache Flink — SQL UDF for streaming analytics
• StreamSets — Processor for data engineering pipelines
• Striim — UDF + Open Processor for CDC

Key management

Cyphera SDKs use keychain libraries for key resolution. Each keychain supports multiple providers:

• File and environment variable (local development)
• AWS KMS
• GCP Cloud KMS
• Azure Key Vault
• HashiCorp Vault
• KMIP (via Cyphera Open KMIP Server or any KMIP-compliant system)

Standards & references

Cyphera's data-protection engines implement published cryptographic standards. Primary references:

• NIST SP 800-38G — Methods for Format-Preserving Encryption (FF1, FF3-1)
• NIST SP 800-38D — Galois/Counter Mode (GCM) for AES
• NIST FIPS 197 — Advanced Encryption Standard (AES)
• Format-preserving encryption — concept overview (Wikipedia)
• AES-GCM — concept overview (Wikipedia)