Skip to main content
Rehydra uses AES-256-GCM encryption via the Web Crypto API for securing PII maps.

Key Providers

InMemoryKeyProvider

Generates a random key in memory. Key is lost when the process ends.
Only for development/testing. The key is not persisted.

ConfigKeyProvider

Uses a pre-configured key from your environment.

KeyProvider Interface

Implement for custom key storage:

Encryption Functions

encryptPIIMap()

Encrypts a PII map.

decryptPIIMap()

Decrypts a PII map.

Key Generation

generateKey()

Generate a random 256-bit key.

generateSalt()

Generate a random salt for key derivation.

deriveKey()

Derive a key from a password using PBKDF2.

Utility Functions

validateKey()

Check if a key is valid.

secureCompare()

Constant-time comparison to prevent timing attacks.

uint8ArrayToBase64()

Convert Uint8Array to Base64.

base64ToUint8Array()

Convert Base64 to Uint8Array.

EncryptedPIIMap Structure


Complete Example


Security Notes

  • Never commit keys to version control
  • Use environment variables or secrets managers
  • Consider platform keystores (iOS Keychain, Android Keystore)
Implement key rotation for long-running applications:
In browsers:
  • Keys in memory can be accessed by malicious scripts
  • Consider using SubtleCrypto key wrapping
  • Clear keys when no longer needed