Format-preserving encryption for BigQuery via Remote UDFs.
A high-performance Go HTTP server that BigQuery calls as a Remote Function. Deployable to Cloud Run or as a local Docker container.
Built on cyphera-go.
docker compose up -d
bash demo.shexport GCP_PROJECT_ID=your-project
bash deploy.shThen run the DDL in bq_setup.sql to create the BQ remote functions.
-- Protect with a named policy
SELECT cyphera_protect('ssn', '123-45-6789');
-- → 'T01948-37-2150' (tagged, format preserved)
-- Access — tag tells Cyphera which policy to use, no policy name needed
SELECT cyphera_access(cyphera_protect('ssn', '123-45-6789'));
-- → '123-45-6789'| Endpoint | Method | Description |
|---|---|---|
/ |
POST | Encrypt (BQ Remote UDF protocol) |
/decrypt |
POST | Decrypt |
/health |
GET | Health check |
{"calls": [["ssn", "123-45-6789"], ["ssn", "987-65-4321"]]}
→ {"replies": ["456-78-9012", "210-98-7654"]}