A Common Approach to IP Address Encryption
IPCrypt is a simple, open specification for encrypting and obfuscating IP addresses, balancing privacy considerations with practical network operations.
What is IPCrypt?
IPCrypt is a community-created specification that suggests methods for encrypting and obfuscating IP addresses. It aims to help network operators, researchers, and privacy advocates share or analyze data while considering address privacy.
The specification offers both deterministic format-preserving and non-deterministic approaches that work with both IPv4 and IPv6 addresses.
Simplicity is a core value in IPCrypt's design. Rather than trying to create new cryptographic methods, we've used established standards that are well-understood and widely available, making it easier for anyone to implement.
Key Features
Privacy Protection
Encrypt IP addresses to prevent disclosure of user-specific information when data is logged or measured, as discussed in RFC6973.
Format Preservation
Ensure that encrypted output remains a valid IP address, allowing network devices to process the data without modification.
Correlation Protection
Non-deterministic modes use a random tweak to obscure linkability while keeping the underlying input confidential.
Privacy-Preserving Analytics
Perform common operations like counting unique clients or implementing rate limiting using encrypted IP addresses without accessing original values.
Third-Party Service Integration
Use encrypted IP addresses as keys or identifiers when integrating with potentially untrusted third-party services or cloud providers.
Consistent Approach
Replace ad-hoc mechanisms with a well-defined, cryptographically sound specification that can be implemented consistently across systems.
A Common Approach
IPCrypt is a simple, open specification that tries to be practical and easy to implement. We've focused on clarity and simplicity so that anyone can understand and use it, regardless of their resources or expertise.
We've built on existing, well-tested cryptographic methods rather than creating new ones. Our goal is to provide a helpful resource that can be freely implemented in any programming language or environment.
Encryption Modes
IPCrypt defines three concrete instantiations to meet different privacy and operational requirements:
ipcrypt-deterministic
Deterministic encryption using AES128 (applied as a single-block operation).
Preserves format but reveals repeated inputs.
ipcrypt-nd
Non-deterministic encryption using the KIASU-BC tweakable block cipher with an 8-byte tweak.
Produces a 24-byte output using an 8-byte tweak.
ipcrypt-ndx
Non-deterministic encryption using the AES-XTS tweakable block cipher with a 16-byte tweak.
Produces a 32-byte output using a 16-byte tweak.
Community Implementations
Freely Available in Several Programming Languages
IPCrypt has been implemented in Python, C, Rust, JavaScript, Go, Zig, PHP, D, and more, making it accessible to developers across different platforms.
Each implementation is open source and follows the same specification, allowing developers to choose the language that best fits their project.
Browse All ImplementationsInteractive Playground
Try IPCrypt in Your Browser
Experience IPCrypt directly in your browser with our interactive playground. Encrypt and decrypt IP addresses using different modes, generate random keys and tweaks, and see the results instantly.
The playground uses the JavaScript implementation of IPCrypt, allowing you to test all three encryption modes with both IPv4 and IPv6 addresses.
Try the PlaygroundJoin the Community
Interested in using or contributing to IPCrypt? Explore our resources, try the interactive playground, or check out the open source implementations. All are freely available for anyone to use.