- PrivaceraCloud Release 4.5
- PrivaceraCloud User Guide
- PrivaceraCloud
- What is PrivaceraCloud?
- Getting Started with Privacera Cloud
- User Interface
- Dashboard
- Access Manager
- Discovery
- Usage statistics
- Encryption and Masking
- Privacera Encryption core ideas and terminology
- Encryption Schemes
- Encryption Schemes
- System Encryption Schemes Enabled by Default
- View Encryption Schemes
- Formats, Algorithms, and Scopes
- Record the Names of Schemes in Use and Do Not Delete Them
- System Encryption Schemes Enabled by Default
- Viewing the Encryption Schemes
- Formats, Algorithms, and Scopes
- Record the Names of Schemes in Use and Do Not Delete Them
- Encryption Schemes
- Presentation Schemes
- Masking schemes
- Create scheme policies on PrivaceraCloud
- Encryption formats, algorithms, and scopes
- Deprecated encryption formats, algorithms, and scopes
- PEG REST API on PrivaceraCloud
- PEG API Endpoint
- Request Summary for PrivaceraCloud
- Prerequisites
- Anatomy of a PEG API endpoint on PrivaceraCloud
- About constructing the datalist for /protect
- About deconstructing the response from /unprotect
- Example of data transformation with /unprotect and presentation scheme
- Example PEG REST API endpoints for PrivaceraCloud
- Audit details for PEG REST API accesses
- Make calls on behalf of another user on PrivaceraCloud
- Privacera Encryption UDF for masking in Databricks
- Privacera Encryption UDFs for Trino
- Syntax of Privacera Encryption UDFs for Trino
- Prerequisites for installing Privacera Crypto plug-in for Trino
- Variable values to obtain from Privacera
- Determine required paths to crypto jar and crypto.properties
- Download Privacera Crypto Jar
- Set variables in Trino etc/crypto.properties
- Restart Trino to register the Privacera Crypto UDFs for Trino
- Example queries to verify Privacera-supplied UDFs
- Azure AD setup
- Launch Pad
- Settings
- General functions in PrivaceraCloud settings
- Applications
- About applications
- Azure Data Lake Storage Gen 2 (ADLS)
- Athena
- Privacera Discovery with Cassandra
- Databricks
- Databricks SQL
- Dremio
- DynamoDB
- Elastic MapReduce from Amazon
- EMRFS S3
- Files
- File Explorer for Google Cloud Storage
- Glue
- Google BigQuery
- Kinesis
- Lambda
- Microsoft SQL Server
- MySQL for Discovery
- Open Source Spark
- Oracle for Discovery
- PostgreSQL
- Power BI
- Presto
- Redshift
- Redshift Spectrum
- Kinesis
- Snowflake
- Starburst Enterprise with PrivaceraCloud
- Starburst Enterprise Presto
- Trino
- Datasource
- User Management
- API Key
- About Account
- Statistics
- Help
- Apache Ranger API
- Reference
- Okta Setup for SAML-SSO
- Azure AD setup
- SCIM Server User-Provisioning
- AWS Access with IAM
- Access AWS S3 buckets from multiple AWS accounts
- Add UserInfo in S3 Requests sent via Dataserver
- EMR Native Ranger Integration with PrivaceraCloud
- Spark Properties
- Operational Status
- How-to
- Create CloudFormation Stack
- Enable Real-time Scanning of S3 Buckets
- Enable Discovery Realtime Scanning Using IAM Role
- How to configure multiple JSON Web Tokens (JWTs) for EMR
- Enable offline scanning on Azure Data Lake Storage Gen 2 (ADLS)
- Enable Real-time Scanning on Azure Data Lake Storage Gen 2 (ADLS)
- How to Get Support
- Coordinated Vulnerability Disclosure (CVD) Program of Privacera
- Shared Security Model
- PrivaceraCloud
- PrivaceraCloud Previews
- Privacera documentation changelog
Privacera Encryption UDFs for Trino
This section describes how to install and configure the Privacera jar in Trino in order to use the Privacera-supplied Encryption UDFs to encrypt and decrypt data in Trino.
These encryption UDFs are defined in the Privacera Crypto jar. You don't have to define them.
Note
The protect and unprotect UDFs work properly with privacera_starburstenterprise but not with privacera_hive. Starburst has three possible configurations (Hive, System, and Hive + System), of which only the system-level has been verified.
Syntax of Privacera Encryption UDFs for Trino
The Privacera Crypto jar includes the following UDFs:
Encrypt: With the quoted '<encryption_scheme_name>', the protect UDF encrypts all values of <column_name> in <table_name>:
select protect(<column_name>, <encryption_scheme_name>) from <table_name>;
Decrypt: With the quoted '<encryption_scheme_name>', the unprotect UDF decrypts all values of <column_name> in <table_name>:
select unprotect(<column_name>, '<encryption_scheme_name>') from <table_name>;
Decrypt with obfuscation: With the quoted '<encryption_scheme_name>', the unprotect UDF decrypts all values of <column_name>, further obfuscates the decrypted data via <presentation_scheme_name>, and and writes the decrypted, obfuscated data to <optional_column_name_for_obfuscated_data> in <table_name>:
select unprotect(<column_name>, '<encryption_scheme_name>' <optional_column_name_for_obfuscated_data>) from <table_name>;
For example usage, see Example Queries to Verify Privacera-supplied UDFs.
Prerequisites for installing Privacera Crypto plug-in for Trino
The following should already be ready:
A fully functional installation of Trino. In these examples, the location of the installed Trino software is shown as
<absolute_path_to_trino_home_directory>.The users who will use the UDFs have sufficient access to the pertinent tables.
Variable values to obtain from Privacera
The values for these variables are used in installing the Privacera Crypto jar and referenced in these procedures:
Contact your Privacera account representative or Privacera Support to obtain the value of the following variable, which is the location of the Privacera Crypto jar file for downloading:
PRIVACERA_BASE_DOWNLOAD_URLVariables to be set in Set variables in Trino etc/crypto.properties:
For the value
<PrivaceraCloud_Encryption_URL>set in theprivacera.peg.base.urlproperty, in PrivaceraCloud:Go to Settings > API Key.
In the PEG section, click the “i“ button (for API Key Info).
Click COPY URL.
Save this value.
For the value
PrivaceraCloud_Encryption_Usernameset in theprivacera.peg.usernameproperty and the valuePrivaceraCloud_Encryption_Passwordset in theprivacera.peg.passwordproperty, in PrivaceraCloud:Go to Settings > Account.
In the PRIVACERA ENCRYPTION section, click Edit.
In the displayed Privacera Encryption Configuration popup window, copy the values of Username and Password.
Save these values.
Determine required paths to crypto jar and crypto.properties
Encryption for Trino relies on the Privacera-supplied crypto jar and crypto.properties file.
The paths where the crypto jar and crypto.properties files must be installed in your Trino system depend on whether you have deployed Trino in a container (such as Docker) or not.
These different paths are detailed in the procedures that follow.
Download Privacera Crypto Jar
Using the value of <PRIVACERA_BASE_DOWNLOAD_URL>, which you obtained from Privacera, run the following commands to download the Privacera Encryption jar:
export PRIVACERA_BASE_DOWNLOAD_URL=<PRIVACERA_BASE_DOWNLOAD_URL> wget <PRIVACERA_BASE_DOWNLOAD_URL>/privacera-crypto-jar-with-dependencies.jar -O privacera-crypto-jar-with-dependencies.jar
Copy privacera-crypto-jar-with-dependencies.jar to one of the following locations:
For non-container deployment:
<absolute_path_to_trino_home_directory>/plugin/privacera/privacera-crypto-jar-with-dependencies.jar.For container deployment:
/data/starburst/plugin/privacera/privacera-crypto-jar-with-dependencies.jar.
Set variables in Trino etc/crypto.properties
Create a file in Trino called etc/crypto.properties in one of the following locations:
For non-container deployment:
<absolute_path_to_trino_home_directory>/etc/crypto.properties.For container deployment:
/data/starburst/etc/crypto.properties.
Add the following to it, using the variable values you copied in Variable Values to Obtain from Privacera:
privacera.crypto.native.threadpool.size=100
privacera.peg.base.url=<PrivaceraCloud_Encryption_URL>
privacera.peg.username=<PrivaceraCloud_Encryption_Username>
privacera.peg.password=<PrivaceraCloud_Encryption_Password>
privacera.crypto.session.cache.size=1000
privacera.deployment.mode.saas=true
Restart Trino to register the Privacera Crypto UDFs for Trino
# Go to Trino bin directory cd <absolute_path_to_trino_home_directory>/bin # Restart Trino ./launcher restart
Example queries to verify Privacera-supplied UDFs
See the syntax detailed in Syntax of Privacera Encryption UDFs for Trino.
Encrypt: The following example query with the protect UDF encrypts the cleartext CUSTOMER_EMAIL column of the CUSTOMERS table using the quoted'EMAIL' encryption scheme:
select protect(CUSTOMER_EMAIL, `EMAIL`) from CUSTOMERS;
Decrypt: The following example query with the unprotect UDF decrypts the encrypted CUSTOMER_EMAIL column of the CUSTOMERS table using the quoted 'EMAIL' encryption scheme:
select unprotect(CUSTOMER_EMAIL, 'EMAIL') from CUSTOMERS;
Decrypt with obfuscation: The following example query with the unprotect UDF decrypts the encrypted CUSTOMER_EMAIL column of the CUSTOMERS table using the quoted 'EMAIL' encryption scheme:
select unprotect(CUSTOMER_EMAIL, 'EMAIL' PRESENTATION_EMAIL) OPTIONAL_OUTPUT_COLUMN_FOR_OBFUSCATED_DATA from CUSTOMERS;