How It Works
When you anonymize text, Rehydra:- Builds a mapping of placeholder IDs to original values
- Serializes the map to JSON
- Encrypts using AES-256-GCM with a random IV
- Returns the encrypted bundle
Key Providers
Rehydra uses aKeyProvider interface for flexible key management:
InMemoryKeyProvider (Development)
Generates a random key on instantiation. Key is lost on page refresh.ConfigKeyProvider (Production)
Uses a pre-configured key from your environment:Custom KeyProvider
Implement the interface for custom storage:Decryption and Rehydration
To restore original values, decrypt the PII map and rehydrate:Key Generation
Generate a secure 256-bit key:Key Derivation
Derive a key from a password:Security Best Practices
Never log the raw PII map
Never log the raw PII map
Always use the encrypted storage. Never log or expose the decrypted
piiMap.Persist keys securely
Persist keys securely
Use platform-specific secure storage:
- iOS: Keychain
- Android: Keystore
- Desktop: OS keychain (via
keytaror similar) - Server: Environment variables, secrets manager
Implement key rotation
Implement key rotation
For long-running applications, rotate keys periodically:
Enable leak scanning
Enable leak scanning
Catch any missed PII in output:
Crypto Utilities
Additional cryptographic utilities:Next Steps
Sessions & Storage
Persist encrypted PII maps across requests
API Reference
Complete crypto API documentation