Stop Sending Raw PII to Your LLM

Dillon Roller — Tue, 17 Mar 2026 00:23:14 +0000

Every time you send a support ticket, log file, or user message to an LLM API, you're potentially leaking emails, phone numbers, credit card numbers, API keys, and more to a third party. Most developers know this is a problem. Most do nothing about it because building a sanitization layer from scratch is annoying.

I built Airlock to solve this.

What it does

Airlock runs locally before your LLM call. It:

Redacts PII — emails, phone numbers, SSNs, credit cards, API keys, JWTs, env secrets, names, and locations
Preserves context — replaces values with consistent pseudonyms (john@example.com → user_a1b2@redacted.local), so the same value always maps to the same alias within a session and your LLM response still makes sense
Compresses tokens — strips redundant whitespace, repeated keys, and boilerplate. Typical JSON payloads see 30–60% token reduction
Keeps an audit ledger — every redaction is logged to a local SQLite database for compliance

No network calls. Nothing leaves your machine.

Install

Python:

pip install airlock-rs

Rust CLI:

cargo install airlock-rs

Usage

import airlock

data = {
    "user": "john@example.com",
    "message": "My SSN is 123-45-6789 and my API key is sk-abc123xyz"
}

result = airlock.scrub(data)
print(result.scrubbed)
# {"user": "user_a1b2@redacted.local", "message": "My SSN is [SSN] and my API key is [API_KEY]"}

print(f"Tokens saved: {result.tokens_saved}")

Why this matters

LLM APIs are external services. Even if you trust the provider, you may be subject to GDPR, HIPAA, SOC 2, or other compliance requirements that prohibit sending personal data to third parties without explicit consent.

Airlock gives you a local firewall you can drop in before any API call — OpenAI, Anthropic, local models, whatever.

CLI usage

echo '{"email": "jane@example.com", "note": "call her back"}' | airlock scrub

airlock scrub --input data.json --output scrubbed.json

Open source

Airlock is open source under Apache 2.0. The core is written in Rust for performance and ships as a zero-dependency binary. The Python bindings are built with PyO3.

GitHub: https://github.com/OxideOps/airlock
PyPI: https://pypi.org/project/airlock-rs
crates.io: https://crates.io/crates/airlock-rs

Would love feedback — especially on the token compression side, since that's the part that varies the most by use case.