The Cloak

The Cloak applies format-preserving encryption (AES-FF1) and tokenization to sensitive fields identified by Sentinel Tag. FPE produces output that looks like the original data — a masked credit card number still looks like a credit card number — keeping data analytically useful while protecting sensitive values.

Capabilities

  • Format-preserving encryption (AES-FF1)
  • Deterministic tokenization (HMAC-SHA256)
  • Reversible masking (with key)
  • Irreversible pseudonymization
  • Partial masking (show last 4 digits)
  • Consistent cross-dataset tokenization

Configuration

the-cloak.yaml 
agent: the-cloak
version: "1.0"
encryption:
  algorithm: AES-FF1
  key_source: vault
  key_id: "${CLOAK_KEY_ID}"
tokenization:
  algorithm: HMAC-SHA256
  deterministic: true

Example

the-cloak-example.ts 
const result = await mcp.call('the_cloak_mask', {
  payload: classifiedPayload,
  stream_uuid: streamUUID,
  sensitive_fields: sentinelResult.sensitive_fields,
  mode: 'tokenize',
});
// "4532-1234-5678-9012" → "4532-XXXX-XXXX-9012"

Pricing

$0.00012 USDC/row

View full agent page →

Edit this page on GitHub