Docs · Audit security

From masking to decryption

Understand the local audit chain, ENC2 format and browser-based decryption flow.

From masking to the audit log

When TigerMole detects a secret, it replaces it before forwarding the request to Anthropic and records the decision locally. An entry includes metadata such as ts_ms, rule_id, gdpr_category, confidence, field_path, prev_hash and sig.

The chain links every entry to the previous one. Team plans use ED25519 to detect later tampering.

What an ENC2 line is

With an imported audit key, an entry may include the original value encrypted as ENC2:. The explanatory format contains an ephemeral key, a nonce and authenticated ciphertext:

ENC2:<ephemeral_pub[32]>:<nonce[12]>:<ciphertext+tag>

Value capture is only included in ENC2 lines and is never sent to TigerMole.

Decrypting in the browser

Open the decryptor, load your X25519 private key and select the .jsonl files. Everything happens in the tab and requires no network connection.

The result distinguishes decrypted lines, non-ENC2 lines and lines with an incorrect or corrupt key.

Legacy ENC: lines may depend on DPAPI and can only be decrypted on the originating machine.

Verifying integrity

To validate the installation and local chain:

tigermole-proxy verify
tigermole-proxy doctor

Keep the public key and retention policy with the operational runbook. The private key is required for decryption and must never be stored beside the logs.

Manage audit keysHeadless Linux

Your privacy, your choice

We use essential cookies to keep the site working, and — only with your consent — analytics and advertising cookies. Read our Privacy Policy.