Skip to main content
The PII map containing original values is encrypted using AES-256-GCM via the Web Crypto API, which works in both Node.js and browsers.

How It Works

When you anonymize text, Rehydra:
  1. Builds a mapping of placeholder IDs to original values
  2. Serializes the map to JSON
  3. Encrypts using AES-256-GCM with a random IV
  4. Returns the encrypted bundle

Key Providers

Rehydra uses a KeyProvider interface for flexible key management:

InMemoryKeyProvider (Development)

Generates a random key on instantiation. Key is lost on page refresh.
Only use InMemoryKeyProvider for development/testing. The key is lost when the process ends.

ConfigKeyProvider (Production)

Uses a pre-configured key from your environment:

Custom KeyProvider

Implement the interface for custom storage:

Decryption and Rehydration

To restore original values, decrypt the PII map and rehydrate:

Key Generation

Generate a secure 256-bit key:
Or via command line:

Key Derivation

Derive a key from a password:

Security Best Practices

Always use the encrypted storage. Never log or expose the decrypted piiMap.
Use platform-specific secure storage:
  • iOS: Keychain
  • Android: Keystore
  • Desktop: OS keychain (via keytar or similar)
  • Server: Environment variables, secrets manager
For long-running applications, rotate keys periodically:
Catch any missed PII in output:

Crypto Utilities

Additional cryptographic utilities:

Next Steps

Sessions & Storage

Persist encrypted PII maps across requests

API Reference

Complete crypto API documentation