Skip to content

Basic Concepts in Encryption

Privacera Encryption enhances the data security provided by Privacera Access Manager and Privacera Discovery.

You can encrypt tables, columns, rows, fields, or data in connected systems. Even if the data are accessible by policies created in Privacera Access Manager, the encrypted data cannot be seen. Encryption can be two-way: you can encrypt the data in place and decrypt it later, or with one-way hashing or overwriting with string literals you can completely obscure the data such that it cannot be discovered.


Privacera Encryption relies on schemes:

  • A scheme policy defines who can use Privacera encryption and decryption.

  • A scheme is a combination of formats, algorithms, and scopes: There are two types of schemes:

    • Encryption schemes encrypt or decrypt the data.
    • Presentation schemes obfuscate decrypted data to a form suitable for displaying to authorized users.

    Both types of schemes rely on the same set of formats, algorithms, and scopes.

  • A format defines the data type and structure to be encrypted, such as alphanumeric, credit card, email address, or social security number.

  • An encryption algorithm specifies the mathematics used to encrypt, such as AES, FPE, or SHA.

  • A scope defines the extent of the encryption on the data, such as the first four digits, a regex, an IP domain, or all data. Scoping ALL is recommended.

Privacera comes with a large selection of pre-defined encryption schemes based on formats, algorithms, and scopes for common data elements and desired security.

For example, you might have a PII field called "EMAIL". You can take advantage of a Privacera pre-defined scheme that:

  • Uses alphanumeric format.
  • Applies the SHA-256 algorithm for a one-way hash.
  • Is scoped with a regular expression to encrypt the characters after the email address's @ sign.

You can also define your own custom encryption and presentation schemes.

Conceptual Process of Privacera Encryption#

The conceptual graphic below shows the general process of Privacera Encryption.

<img src="../assets/encryption_simplified.png"/>

  1. A request is made to encrypt raw data.
    1. The scheme policy protecting access to encryption functions is checked.
    2. The encryption scheme encrypts the data according to its associated format, algorithm, and scope.
  2. The data is encrypted.
  3. A request is made to decrypt the encrypted data.
    1. The scheme policy protecting access to encryption functions is checked.
    2. The same encryption scheme that encrypted the data is used to decrypt according to the encryption schemes's format, algorithm, and scope.
    3. The presentation scheme obfuscates the decrypted data for presentation to the user.

Key Security#

For maximum security, Privacera Encryption relies on different types of encryption keys, including a master key and the keys derived from it. By default, keys are stored in Privacera's Ranger Key Management System (KMS), except for the master key, which is stored externally from the KMS or on a hardware storage module. Keys can also be stored in the Azure Key Vault.

Encryption User Interface and REST API#

In addition to encryption in the Privacera Portal, the Privacera Encryption Gateway (PEG) is a REST API service to authenticate users who can /protect (encrypt) or /unprotect (decrypt) data.

Planning for Privacera Encryption#

This is a general approach to working Privacera Encryption.

Install and Enable Privacera Encryption#

Privacera encryption, including the Privacera Encryption Gateway (PEG), is enabled in the Privacera Manager.

Follow the instructions in the links below to install and enable the Privacera Manager components for encryption.