Data protection SDK for Ruby — format-preserving encryption (FF1/FF3), data masking, and hashing.
gem install cyphera
require 'cyphera'
# Auto-discover cyphera.json
c = Cyphera::Client.load
# Or load from a specific file
c = Cyphera::Client.from_file('./config/cyphera.json')
# Protect
protected = c.protect('123-45-6789', 'ssn')
# → "T01i6J-xF-07pX" (DPH-prefixed, dashes preserved)
# Access (header-based, no configuration name needed)
accessed = c.access(protected)
# → "123-45-6789"
# Two-arg access is for header_enabled=false configurations only.
# Calling it on a headered configuration raises ArgumentError —
# use the single-arg form so the header identifies the configuration.
raw = c.protect('123456789', 'ssn_digits') # header_enabled=false
plain = c.access(raw, 'ssn_digits') # → "123456789"| Engine | Reversible | Description |
|---|---|---|
ff1 |
Yes | NIST SP 800-38G FF1 format-preserving encryption |
ff3 |
Yes | NIST SP 800-38G Rev 1 FF3-1 format-preserving encryption |
mask |
No | Simple pattern masking (last4, first1, full, etc.) |
hash |
No | SHA-256/384/512, HMAC when key provided |
{
"configurations": {
"ssn": { "engine": "ff1", "key_ref": "my-key", "header": "T01" },
"cc": { "engine": "ff1", "key_ref": "my-key", "header": "T02" },
"ssn_mask": { "engine": "mask", "pattern": "last4", "header_enabled": false }
},
"keys": {
"my-key": { "material": "2B7E151628AED2A6ABF7158809CF4F3C" }
}
}The header (Data Protection Header, DPH) is a short prefix prepended to
protected output that identifies the configuration used. It lets
access_by_header() reverse a value without the caller naming the
configuration.
All SDKs produce identical output for the same inputs:
Input: 123-45-6789
Java: T01i6J-xF-07pX
Rust: T01i6J-xF-07pX
Node: T01i6J-xF-07pX
Python: T01i6J-xF-07pX
Go: T01i6J-xF-07pX
.NET: T01i6J-xF-07pX
PHP: T01i6J-xF-07pX
Ruby: T01i6J-xF-07pX
Alpha. API is unstable.
Apache 2.0 — Copyright 2026 Horizon Digital Engineering LLC