The Encryption and Masking services are enabled when the Privacera Encryption Gateway (PEG) service is enabled. See Settings: Datasource: PEG to add and enable this service.
A general explanation of Privacera Encryption functions is in the Privacera Encryption Guide.
Encryption services are accessed in two ways:
Via the PEG REST API, which provides on-the-fly encryption (
protect) and decryption (
unprotect). See PrivaceraCloud REST API for additional information for using the PEG API. PEG API requests are applied based on Encryption Schemes and Presentation Schemes, and are allowed or denied based on Scheme Policies.
Scheme Policies permissions are required for Databricks UDFs and for
unprotectREST API requests.
Via the Privacera Crypto jar library integration into a Databricks cluster, and referenced using SQL Users Defined Functions (UDFs). See Databricks SQL Encryption for specific installation and configuration instructions.
Scheme Policies, managed in Access Manager: Scheme Policies, identify users, groups or roles who are allowed or denied access to specific Encryption and Presentation Schemes, and thus are allowed or denied ability to encrypt or decrypt using that scheme.
A scheme is a combination of formats, algorithms, and scopes. There are two types of schemes:
Encryption schemes transform to or from encrypted or hashed state.
Presentation: specification for a secondary transformation following decryption. Presentation schemes are used to hide or obsfucate unencrypted data for display or sharing. Additional scheme information is available in the Privacera Encryption Guide. See Presentation Schemes.
The Schemes page provides the user interface for management of these schemes.
Encryption and presentation schemes are listed by row in ascending creation date. The fields displayed are:
- Scheme Type, Name, Description, Format Type, Encryption Api, and Algorithm.
Schemes can be added (click the + icon), deleted (trashcan), or edited (pen).
Scheme definitions can also be exported to JSON formated files, and imported using the same format. The export sequence enables individual selection of All schemes or can be limited to exclude one Encryption or Presentation. (Selecting Encryption excludes Presentation and vice versa.)