π Hashing & Anonymization Functions in Kelora
Kelora provides four distinct hashing and pseudonymization functions to support fast bucketing, deterministic grouping, and secure anonymization. Each function is explicitly designed for a different use case.
βΈ»
π§Ί bucket(value: String) -> INT
Purpose:
Assigns a value to a numeric bucket using a fast, non-cryptographic hash.
Implementation:
β’ Uses xxh3_64 (fast, deterministic)
β’ Returns a 64-bit integer (INT)
Use Cases:
β’ Sampling: if bucket(user_id) % 10 == 0
β’ Sharding across workers or groups
β’ Grouping logs without revealing identity
Security Note:
β Not cryptographically secure.
β
Suitable for internal grouping only.
βΈ»
π’ hash(value: String, algo = "sha256") -> String
Purpose:
Applies a named hash algorithm to the input value and returns a hex-encoded string.
Supported Algorithms:
β’ "sha256" (default)
β’ "sha1"
β’ "md5"
β’ "xxh3" (as hex)
β’ "blake3"
Example:
let h1 = hash("hello"); // sha256 by default
let h2 = hash("value", "md5");
Use Cases:
β’ Fingerprinting values
β’ Explicit hash control
β’ Combining with user-provided salts
Security Note:
β Not salted by default β do not use for anonymization unless you prepend your own salt.
βΈ»
π anonymize(value: String) -> String
Purpose:
Produces a secure, salted, irreversible hex string for anonymizing sensitive data.
Implementation:
β’ Computes sha256(KELORA_SALT + value)
β’ Returns lowercase hex string (64 chars)
Environment Requirement:
β’ Requires KELORA_SALT to be set (env or config)
β’ Fails with a clear error if missing, including a suggestion for a random salt:
[kelora] error: `KELORA_SALT` is not set β required for `anonymize()` and `pseudonym()`.
You must set a stable, secret salt to ensure secure and consistent anonymization.
Suggested (randomized) example:
export KELORA_SALT="ac47f90dcf6b4d2fa08cfa7b3725e2e3"
Once set, pseudonyms will remain consistent across runs.
Use Cases:
β’ Pseudonymizing user_id, email, ip, session_id
β’ Sharing logs safely without leaking identity
β’ Linkable but irreversible IDs
Security Note:
β
Salted and cryptographically secure
β
Suitable for compliance and data privacy
βΈ»
πͺͺ pseudonym(value: String, length: INT = 10) -> String
Purpose:
Generates a short, URL-safe, deterministic pseudonym ID using Blake3 and base62 encoding.
Implementation:
β’ Computes blake3(KELORA_SALT + value)
β’ Encodes result to base62
β’ Truncates to length characters
Output:
β’ Base62 string (e.g., "A7cxQZf2Tb")
β’ Length configurable (default: 10)
Environment Requirement:
β’ Requires KELORA_SALT to be set
β’ Fails clearly if not set
Use Cases:
β’ Short anonymous user identifiers
β’ Linking across logs without revealing data
β’ Safer than truncated raw hashes
Security Note:
β
Salted and secure
β
Optimized for brevity and readability
β οΈ Truncation reduces collision resistance β tune length accordingly
βΈ»
π§ Summary Table
Function Output Secure Salted Use Forβ¦
bucket() INT (u64) β β Bucketing, sampling, grouping
hash() String (hex) β
/β β Explicit hashing, fingerprinting
anonymize() String (hex) β
β
PII anonymization, linkable IDs
pseudonym() String (base62) β
β
Short, readable pseudonyms
βΈ»
π Salt Handling
β’ anonymize() and pseudonym() require a secret salt
β’ Set it via environment variable KELORA_SALT="a3f02c9e7b9d..."
or via a command line option (which can be put into the config file)