Reversible Encryption: The Power of Temporary Anonymization

Last Updated: 2026-02-17

Overview#

Reversible Encryption is cloak.business's unique anonymization method that allows you to encrypt PII now and restore it later. Unlike permanent anonymization methods (Replace, Redact, Hash, Mask), encrypted data can be fully restored to its original form using your personal encryption key.

This feature is essential for workflows where you need temporary protection without permanently destroying sensitive data.

Table of Contents#

1. Why Reversible Encryption?
2. How It Works
3. Comparison with Other Methods
4. Technical Specifications
5. Real-World Use Cases
6. Integration Options
7. Security Guarantees
8. Best Practices
9. Frequently Asked Questions

Why Reversible Encryption?#

Traditional anonymization methods permanently transform or remove PII. Once applied, the original data is gone forever. This works for many scenarios, but not all.

Reversible Encryption solves four critical problems:

1. Temporary Data Sharing#

Share documents with external parties (consultants, vendors, partners) without exposing real PII. When the engagement ends, restore the original data for your internal records.

Example: During a merger, share anonymized customer lists with due diligence teams. After the deal closes, restore originals for integration.

2. Audit Trail Preservation#

Anonymize production data for testing or analysis while maintaining the ability to trace back to originals when needed for compliance audits.

Example: Copy a database to a test environment with encrypted user data. When investigating a specific bug, decrypt the relevant records to understand the exact user journey.

3. Legal Discovery Protection#

During litigation, protect sensitive information while sharing documents with opposing counsel. If a court orders full disclosure, you retain the ability to restore original data.

Example: Anonymize witness names in shared documents. If subpoenaed, decrypt and provide the original names without claiming data destruction.

4. Safe AI Workflows#

Send prompts to AI assistants (ChatGPT, Claude, Gemini) with encrypted PII. When reviewing AI outputs internally, restore the original context.

Example: "Customer encrypted:xyz123 reported an issue with order encrypted:abc456" → AI processes safely → restore "Customer John Smith reported an issue with order #12345" for your team.

How It Works#

Step 1: Encrypt During Anonymization#

When you run the anonymizer with the Encrypt method selected, cloak.business:

1. Detects all PII in your text (names, emails, phone numbers, etc.)
2. Encrypts each detected value using AES-256-GCM with your personal encryption key
3. Replaces each PII value with an encrypted token: <encrypted:base64data>
4. Returns the anonymized text with all PII encrypted

Before:

Contact John Smith at john.smith@company.com regarding invoice #INV-2024-001.

After (encrypted):

Contact <encrypted:aHR0cHM6Ly9leGFt> at <encrypted:cGxlLmNvbS9hcGk=> regarding invoice <encrypted:I0lOVi0yMDI0LTAw>.

Step 2: Share Safely#

The encrypted text can be shared freely:

• Without the encryption key, the tokens are computationally infeasible to decrypt
• The text structure remains intact, so it can be processed, analyzed, or reviewed
• No one can identify who "John Smith" is or what his email address was

Step 3: Restore Anytime#

To restore the original data:

1. Open the Deanonymizer tab in cloak.business
2. Paste the encrypted text
3. Enter your encryption key (the same key used during anonymization)
4. Click Decrypt
5. Original values are instantly restored

Restored:

Contact John Smith at john.smith@company.com regarding invoice #INV-2024-001.

Comparison with Other Methods#

Key Differences#

• Encrypt is the ONLY method that can be reversed
• Replace creates realistic fake data but destroys the original permanently
• Redact removes PII entirely, leaving [REDACTED] placeholders
• Hash creates one-way cryptographic hashes (same input = same hash, useful for linking records)
• Mask partially obscures data (e.g., j***@e****.com) but destroys precision

Technical Specifications#

Encryption Algorithm#

AES-256-GCM (Advanced Encryption Standard with 256-bit keys, Galois/Counter Mode)

• Industry standard used by banks, governments, and military organizations worldwide
• 256-bit key provides 2^256 possible key combinations
• GCM mode provides authenticated encryption (confidentiality + integrity)
• Each encryption operation uses a unique initialization vector (IV)

Key Requirements#

Your encryption key must be exactly:

• 16 characters (128-bit key)
• 24 characters (192-bit key)
• 32 characters (256-bit key) — Recommended

Longer keys provide stronger security. We recommend 32-character keys for maximum protection.

Token Format#

Encrypted values are stored as: <encrypted:BASE64_ENCODED_DATA>

• The <encrypted: prefix identifies encrypted tokens
• The base64-encoded data contains the encrypted value plus authentication tag
• The > suffix closes the token

Zero Key Storage#

cloak.business never stores your encryption key.

• Keys are transmitted securely over HTTPS, used for the operation, and immediately discarded
• Only encrypted tokens are stored in session history
• If you lose your key, we cannot help you recover data — this is by design

Real-World Use Cases#

AI Assistant Workflows#

Scenario: Your support team wants to use AI to draft responses to customer tickets, but tickets contain customer names, emails, and order numbers.

Solution:

1. Copy the ticket text
2. Use the cloak.business Chrome Extension to encrypt PII
3. Paste the encrypted text into ChatGPT/Claude
4. AI generates a response with encrypted placeholders
5. Click "Restore" in the extension to reveal original customer data
6. Review and send the personalized response

Benefit: AI never sees real customer data, but your final response is fully personalized.

Vendor Data Sharing#

Scenario: You're working with an external marketing agency that needs customer demographics for campaign planning, but you can't share actual customer PII.

Solution:

1. Export customer data with names, emails, and addresses
2. Run through cloak.business with Encrypt method
3. Share the encrypted dataset with the agency
4. Agency analyzes demographics, creates campaigns
5. When they send targeting lists, decrypt to identify actual customers

Benefit: Agency works with real data structures without seeing real PII.

Production-to-Test Data Migration#

Scenario: Developers need realistic data to test a new feature, but production data contains sensitive customer information.

Solution:

1. Export production database
2. Run through cloak.business API with Encrypt method
3. Import encrypted data into test environment
4. Developers test with realistic data structures
5. When debugging specific issues, decrypt relevant records

Benefit: Realistic testing without PII exposure, with ability to trace back for debugging.

Legal Discovery#

Scenario: During litigation, you must share internal documents with opposing counsel, but documents contain confidential information about third parties.

Solution:

1. Identify documents subject to discovery
2. Encrypt third-party PII (witness names, customer data)
3. Share encrypted documents
4. If court orders disclosure, decrypt and provide originals
5. Maintain proof that data was protected, not destroyed

Benefit: Comply with discovery while protecting uninvolved parties. Full restoration if ordered.

Integration Options#

Reversible Encryption is available across all cloak.business platforms:

Web Application#

Full encrypt/decrypt workflow in the Anonymizer and Deanonymizer tabs.

• Enter text, select Encrypt method, enter key
• Copy encrypted output
• Paste into Deanonymizer, enter key, restore

REST API#

Encrypt:

curl -X POST https://cloak.business/api/presidio/anonymize \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "text": "Contact John Smith at john@example.com",
    "analyzer_results": [...],
    "operators": {
      "DEFAULT": {"type": "encrypt", "key": "your-32-char-key-here"}
    }
  }'

Decrypt:

curl -X POST https://cloak.business/api/presidio/deanonymize \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "text": "Contact <encrypted:xyz> at <encrypted:abc>",
    "deanonymizers": {
      "DEFAULT": {"type": "decrypt", "key": "your-32-char-key-here"}
    }
  }'

MCP Server#

For Claude Desktop and compatible AI assistants:

• text_anonymize with operator encrypt and your key
• text_detokenize to restore encrypted values

Desktop App#

Document processing with encrypt method:

• Upload PDF, DOCX, or TXT files
• Select Encrypt method and enter key
• Download encrypted document
• Use Deanonymize mode to restore

Chrome Extension#

One-click encryption for AI chat interfaces:

• Works with ChatGPT, Claude.ai, Gemini
• Encrypt before sending, restore after receiving
• Key synced with your cloak.business vault

Official SDKs (Client-Side Encryption)#

For maximum security, our SDKs include ClientCrypto modules for true zero-knowledge encryption where keys never leave your device:

JavaScript/TypeScript:

import { CloakClient, ClientCrypto } from '@cloak-business/sdk';

const client = new CloakClient({ apiKey: 'your-api-key' });

// Client-side encryption - key never sent to server
const key = await ClientCrypto.generateKey();
const encrypted = await ClientCrypto.encrypt(key, 'John Smith');

// Use SDK for PII detection (server-side)
const analysis = await client.analyze({ text: 'Contact John Smith' });

// Combine: detect PII server-side, encrypt locally
const encryptedData = await ClientCrypto.encryptObject(key, {
  originalText: 'Contact John Smith',
  entities: analysis.results
});

Python:

from cloak_business import CloakClient, ClientCrypto

client = CloakClient(api_key="your-api-key")

# Client-side encryption
key = ClientCrypto.generate_key()
encrypted = ClientCrypto.encrypt(key, "John Smith")

# Server-side detection
analysis = client.analyze(text="Contact John Smith")

# Decrypt locally when needed
decrypted = ClientCrypto.decrypt(key, encrypted)

When to use Client-Side vs Server-Side:

See the SDK Reference for complete documentation.

Security Guarantees#

1. Your encryption key is transmitted securely over HTTPS and never stored on our servers — used only for the operation, then discarded

2. Encrypted tokens are computationally infeasible to decrypt without the correct key — AES-256 has no known practical attacks

3. We never store your encryption key — if you lose it, we cannot help you recover data

4. All processing happens on ISO 27001-certified servers in Nuremberg, Germany

5. AES-256-GCM provides both confidentiality and integrity — tampered tokens will fail to decrypt

Best Practices#

Key Management#

1. Use a password manager to store your encryption keys
2. Use different keys for different projects to limit exposure
3. Document which key was used for which dataset
4. Never share keys via email or chat — use secure channels

Workflow Design#

1. Establish a key rotation policy for long-running projects
2. Test decryption immediately after encryption to verify your key works
3. Keep encrypted originals until you've confirmed restoration works
4. Use 32-character keys for maximum security

Compliance#

1. Document your encryption workflow for audit purposes
2. Maintain logs of who has access to encryption keys
3. Establish key recovery procedures within your organization
4. Consider key escrow for critical business data

Frequently Asked Questions#

What happens if I lose my encryption key?#

Encrypted data becomes permanently unrecoverable. We do not store your key and have no way to decrypt your data. Always store your encryption key in a secure password manager.

Can I use different keys for different documents?#

Yes. Each anonymization operation uses the key you provide. You can use different keys for different projects, but you must track which key was used for which document.

What are the key length requirements?#

Keys must be exactly 16, 24, or 32 characters (128, 192, or 256 bits). Longer keys provide stronger encryption. We recommend 32-character keys for maximum security.

Can I decrypt only some values?#

Currently, decryption processes all encrypted tokens in the text. You cannot selectively decrypt individual values while leaving others encrypted.

Can I decrypt via API?#

Yes. Use POST /api/presidio/deanonymize with the encrypted text and your key. The API returns the fully restored original text.

What if someone modifies the encrypted text?#

AES-256-GCM includes authentication. If the encrypted token is modified in any way, decryption will fail. This protects against tampering.

Is the encryption key transmitted to your servers?#

The key is transmitted securely over TLS during the API call, used only for the encryption/decryption operation, and immediately discarded. It is never logged or stored.

Can I encrypt the same value multiple times?#

Yes, but each encryption produces a different token (due to unique IVs). If you need consistent pseudonymization across documents, use the Hash method instead.

Related Documentation#

• Deanonymizer Guide — Detailed instructions for restoring encrypted data
• Anonymizer Guide — Complete guide to all anonymization methods
• API Reference — Full API documentation including encrypt/decrypt endpoints
• SDK Reference — JavaScript & Python SDKs with client-side encryption
• Zero-Knowledge Auth — How zero-knowledge principles protect your account
• Chrome Extension Guide — Using encryption in browser-based AI workflows

Document maintained by cloak.business