PrivaceraCloud Documentation

Privacera Encryption core ideas and terminology

Privacera Encryption enhances the data security provided by Privacera Access Management and Privacera Discovery.

You can encrypt tables, columns, rows, fields, or other data in connected systems. Even if the data are accessible by policies created in Privacera Access Management, the encrypted data cannot be seen.

Encryption can be two-way: you can encrypt the data in place and decrypt it later. Or it can be one-way: with hashing or overwriting with string literals, you can replace the original data to make it invisible and unrecoverable.

You can also completely mask data with a one-way transform.

For a view of the following essential terms in action, see Graphical view of encryption processes

Privacera Encryption relies on schemes:

  • A scheme is a combination of formats, algorithms, and scopes.

    All schemes rely on the same set of Encryption formats, algorithms, and scopes.

    • An input data format defines the data type and structure to be encrypted, such as alphanumeric, credit card, email address, or social security number.

    • An encryption algorithm specifies the mathematics used to encrypt, such as AES, FPE, or SHA.

    • A scope defines the extent of the encryption on the data, such as the first four digits, an IP domain, or all data. Scoping ALL is recommended.

  • A scheme policy defines access control: users who have permission to access a scheme.

For example, you might rely on a Privacera-supplied encryption scheme to protect a PII field called "EMAIL". The scheme:

  • Uses EMAIL format.

  • Applies the SHA-256 algorithm for a one-way hash.

  • Is scoped with "masked domain" to hide the portion of the email to the right of the @ sign.

You can also define your own custom encryption, presentation, and masking schemes.

Graphical view of encryption processes

This conceptual graphic with annotation shows the general process of Privacera Encryption. This same process is also illustrated in Encryption architecture and UDF flow.

Image 126501
  1. An endpoint is called to encrypt raw data.

    1. The scheme policy protecting access to encryption functions is checked.

    2. The encryption scheme encrypts the data according to its associated format, algorithm, and scope.

  2. The data is encrypted.

  3. An endpoint is called to decrypt the encrypted data.

    1. The scheme policy protecting access to encryption functions is checked.

    2. The same encryption scheme that encrypted the data is used to decrypt according to the encryption scheme's format, algorithm, and scope.

    3. The presentation scheme obfuscates the decrypted data for presentation to the user.

Encryption architecture and UDF flow

The following diagram shows the PEG architecture for viewing a record. For a description of the keys in this architecture, see Hierarchy and Types of Encryption Keys.

  1. A user queries sensitive data.

  2. Privacera Access Management verifies the user access privileges to the data and the key (encryption scheme) used to decrypt the data.

  3. If the user has access privileges to both the data and key, Privacera encryption requests the Data Encryption Key (DEK) for the encryption scheme.

  4. The Privacera Encryption Gateway (PEG) sends the Encrypted Data Encryption Key (EDEK) from the scheme to Ranger KMS to decrypt the DEK.

  5. Ranger KMS authenticates the caller (the encryption module) and uses the KEK to decrypt EDEK and obtain the DEK.

  6. The PEG obtains the DEK and decrypts the data.

  7. The PEG returns the data to user.

Hierarchy and Types of Encryption Keys
Hierarchy and types of encryption keys

To prevent compromise of encryption keys, key management is critical for encryption of data-at-rest and data-in-transit. The encryption keys must be secured by externalizing them into a separate Key Management System (KMS). Apache Ranger KMS is the key storage system to manage keys across Privacera services. Keys are stored in an encrypted format in the Apache Ranger KMS database.

The key hierarchy includes the following types of keys.

img src"assets/key_hierarchy.png" style"width:100%;height:auto" /
Master Key

The Master Key encrypts the KEKs in Apache Ranger KMS.

The Master Key is stored separately outside of the KMS database or externally on a hardware security module (HSM).

Key Encryption Key (KEK)

A KEK encrypts the Data Encryption Key (DEK).

KEKs are encrypted with the Master Key.

The KEKs are stored and managed in Apache Ranger KMS. Apache Ranger KMS manages the KEK keys to either encrypt DEKs to create Encrypted Data Encryption Keys (EDEKs) or to decrypt EDEKs.

  • If a KEK is deleted, any associated encrypted data cannot be decrypted.

Data Encryption Key (DEK)

The Data Encryption Key (DEK) is the key that encrypts and decrypts the data.

Each encryption scheme created in the Privacera Portal is mapped to a unique DEK. The user must have key access privileges by way of a scheme policy to encrypt or decrypt data with the DEK.

The DEK is stored in an encrypted format as an Encrypted Data Encryption Key (EDEK). The key used to encrypt the DEK is managed by Apache Ranger KMS.

Encrypted Data Encryption Key (EDEK)

The EDEK is the encrypted DEK and is encrypted with a KEK. A KEK is required to decrypt an EDEK. EDEKs are stored and managed by Privacera.

Key Security

For maximum security, Privacera Encryption relies on different types of encryption keys. For a description of keys, see Hierarchy and Types of Encryption Keys.