Format-Preserving Encryption for BigQuery
Encrypt and decrypt sensitive data in BigQuery SQL via Remote UDFs backed by a high-performance Go server. Deploy to Cloud Run and call from any BigQuery query.
What It Does
Cyphera for BigQuery provides format-preserving encryption through BigQuery Remote Functions. A lightweight Go HTTP server handles encryption requests — deploy it to Cloud Run, register the remote UDFs in BigQuery, and call cyphera_protect to encrypt and cyphera_access to decrypt from any SQL query. Data Protection Headers are embedded in the output so access needs no configuration name.
The architecture keeps everything inside your GCP project. BigQuery sends values to the Cloud Run service, which encrypts them and returns the results. Keys and configurations stay on your infrastructure.
Quick Example
BigQuery SQL
SELECT cyphera_protect('ssn', '123-45-6789'); -- → 'T01948-37-2150' (DPH-formatted, format preserved) SELECT cyphera_access(cyphera_protect('ssn', '123-45-6789')); -- → '123-45-6789'
HTTP API (for direct testing)
// Request {"calls": [["ssn", "123-45-6789"], ["ssn", "987-65-4321"]]} // Response {"replies": ["456-78-9012", "210-98-7654"]}
How It Works
The Go server implements the BigQuery Remote UDF protocol. It exposes endpoints for encryption (POST /), decryption (POST /decrypt), and health checks (GET /health). Deploy to GCP with the included deploy script, then run the provided DDL to register the BigQuery remote functions.
For local development and testing, docker compose up -d spins up the server and a demo script validates the round-trip.