Format-Preserving Encryption for PostgreSQL
Encrypt and decrypt sensitive data directly in PostgreSQL with native UDF functions. No schema changes, no application rewrites — just SQL.
What It Does
Cyphera for PostgreSQL installs format-preserving encryption functions directly into your database. Call cyphera_protect to encrypt and cyphera_access to decrypt sensitive fields while keeping the original format intact. Data Protection Headers are embedded in the output so access needs no configuration name. A Social Security number stays a Social Security number. A phone number stays a phone number.
Built as a native Rust extension via cyphera-rust, the PostgreSQL integration delivers high-performance encryption without leaving the database engine.
Quick Example
Configuration-based encryption
SELECT cyphera_protect('ssn', '123-45-6789'); -- → 'T01948-37-2150' (DPH-formatted, format preserved) SELECT cyphera_access(cyphera_protect('ssn', '123-45-6789')); -- → '123-45-6789'
Direct FF1 engine
SELECT cyphera_ff1_encrypt('123456789', '<key_hex>', 'digits'); SELECT cyphera_ff1_decrypt('<ciphertext>', '<key_hex>', 'digits');
How It Works
The extension registers custom SQL functions powered by the Cyphera Rust engine. Supported alphabets include digits (0-9), lowercase alpha (a-z), and alphanumeric (0-9a-zA-Z). Non-alphabet characters like dashes and spaces are preserved in place automatically.
Getting started takes one command: docker compose up -d, then connect and run the demo SQL.