Format-Preserving Encryption for Trino
Encrypt and decrypt sensitive data directly in Trino SQL queries. SSNs, credit card numbers, and other PII stay in their original format — no schema changes, no broken joins.
What It Does
Cyphera for Trino adds format-preserving encryption as native UDF functions. Call cyphera_protect to encrypt and cyphera_access to decrypt fields on the fly. The encrypted output preserves the original format — a 9-digit SSN stays a 9-digit SSN, dashes and all. Data Protection Headers are embedded in the output so access needs no configuration name.
Configurations are defined in a JSON file that maps field types to encryption engines, alphabets, and key references. Mount the configuration file and Trino handles the rest.
Quick Example
Configuration-based encryption
SELECT cyphera_protect('ssn', '123-45-6789'); -- → 'T01948-37-2150' (DPH-formatted, format preserved) SELECT cyphera_access(cyphera_protect('ssn', '123-45-6789')); -- → '123-45-6789'
Direct FF1 engine
SELECT cyphera_ff1_encrypt('123456789', '<key_hex>', 'digits'); SELECT cyphera_ff1_decrypt('<ciphertext>', '<key_hex>', 'digits');
How It Works
The Trino plugin registers custom UDFs that call the Cyphera Java SDK. Configurations are loaded from a JSON file mounted at /etc/cyphera/cyphera.json (configurable via the CYPHERA_CONFIG_FILE environment variable).
Getting started is as simple as running docker compose up -d and executing a demo SQL script against the Trino endpoint.