Skip to main content

PrivaceraCloud Documentation

Privacera Encryption UDFs for Trino

:

This section describes how to install and configure the Privacera jar in Trino in order to use the Privacera-supplied Encryption UDFs to encrypt and decrypt data in Trino.

These encryption UDFs are defined in the Privacera Crypto jar. You don't have to define them.

Note

The protect and unprotect UDFs work properly with privacera_starburstenterprise but not with privacera_hive. Starburst has three possible configurations (Hive, System, and Hive + System), of which only the system-level has been verified.

Syntax of Privacera Encryption UDFs for Trino

The Privacera Crypto jar includes the following UDFs:

Encrypt: With the quoted '<encryption_scheme_name>', the protect UDF encrypts all values of <column_name> in <table_name>:

select protect(<column_name>, <encryption_scheme_name>) from <table_name>;

Decrypt: With the quoted '<encryption_scheme_name>', the unprotect UDF decrypts all values of <column_name> in <table_name>:

select unprotect(<column_name>, '<encryption_scheme_name>') from <table_name>;

Decrypt with obfuscation: With the quoted '<encryption_scheme_name>', the unprotect UDF decrypts all values of <column_name>, further obfuscates the decrypted data via <presentation_scheme_name>, and and writes the decrypted, obfuscated data to <optional_column_name_for_obfuscated_data> in <table_name>:

select unprotect(<column_name>, '<encryption_scheme_name>' <optional_column_name_for_obfuscated_data>) from <table_name>;

For example usage, see Example Queries to Verify Privacera-supplied UDFs.

Prerequisites for installing Privacera Crypto plug-in for Trino

The following should already be ready:

  • A fully functional installation of Trino. In these examples, the location of the installed Trino software is shown as <absolute_path_to_trino_home_directory>.

  • The users who will use the UDFs have sufficient access to the pertinent tables.

Variable values to obtain from Privacera

The values for these variables are used in installing the Privacera Crypto jar and referenced in these procedures:

  1. Contact your Privacera account representative or Privacera Support to obtain the value of the following variable, which is the location of the Privacera Crypto jar file for downloading:

    PRIVACERA_BASE_DOWNLOAD_URL

  2. Variables to be set in Set variables in Trino etc/crypto.properties:

    1. For the value <PrivaceraCloud_Encryption_URL> set in the privacera.peg.base.url property, in PrivaceraCloud:

      1. Go to Settings > API Key.

      2. In the PEG section, click the “i“ button (for API Key Info).

      3. Click COPY URL.

      4. Save this value.

    2. For the value PrivaceraCloud_Encryption_Username set in the privacera.peg.username property and the value PrivaceraCloud_Encryption_Password set in the privacera.peg.password property, in PrivaceraCloud:

      1. Go to Settings > Account.

      2. In the PRIVACERA ENCRYPTION section, click Edit.

      3. In the displayed Privacera Encryption Configuration popup window, copy the values of Username and Password.

      4. Save these values.

Determine required paths to crypto jar and crypto.properties

Encryption for Trino relies on the Privacera-supplied crypto jar and crypto.properties file.

The paths where the crypto jar and crypto.properties files must be installed in your Trino system depend on whether you have deployed Trino in a container (such as Docker) or not.

These different paths are detailed in the procedures that follow.

Download Privacera Crypto Jar

Using the value of <PRIVACERA_BASE_DOWNLOAD_URL>, which you obtained from Privacera, run the following commands to download the Privacera Encryption jar:

export PRIVACERA_BASE_DOWNLOAD_URL=<PRIVACERA_BASE_DOWNLOAD_URL> 
wget <PRIVACERA_BASE_DOWNLOAD_URL>/privacera-crypto-jar-with-dependencies.jar -O privacera-crypto-jar-with-dependencies.jar

Copy privacera-crypto-jar-with-dependencies.jar to one of the following locations:

  • For non-container deployment: <absolute_path_to_trino_home_directory>/plugin/privacera/privacera-crypto-jar-with-dependencies.jar.

  • For container deployment: /data/starburst/plugin/privacera/privacera-crypto-jar-with-dependencies.jar.

Set variables in Trino etc/crypto.properties

Create a file in Trino called etc/crypto.properties in one of the following locations:

  • For non-container deployment: <absolute_path_to_trino_home_directory>/etc/crypto.properties.

  • For container deployment: /data/starburst/etc/crypto.properties.

Add the following to it, using the variable values you copied in Variable Values to Obtain from Privacera:

privacera.crypto.native.threadpool.size=100
privacera.peg.base.url=<PrivaceraCloud_Encryption_URL>
privacera.peg.username=<PrivaceraCloud_Encryption_Username>
privacera.peg.password=<PrivaceraCloud_Encryption_Password>
privacera.crypto.session.cache.size=1000
privacera.deployment.mode.saas=true
            

Restart Trino to register the Privacera Crypto UDFs for Trino

# Go to Trino bin directory
cd <absolute_path_to_trino_home_directory>/bin
# Restart Trino
./launcher restart

Example queries to verify Privacera-supplied UDFs

See the syntax detailed in Syntax of Privacera Encryption UDFs for Trino.

Encrypt: The following example query with the protect UDF encrypts the cleartext CUSTOMER_EMAIL column of the CUSTOMERS table using the quoted'EMAIL' encryption scheme:

select protect(CUSTOMER_EMAIL, `EMAIL`) from CUSTOMERS;

Decrypt: The following example query with the unprotect UDF decrypts the encrypted CUSTOMER_EMAIL column of the CUSTOMERS table using the quoted 'EMAIL' encryption scheme:

select unprotect(CUSTOMER_EMAIL, 'EMAIL') from CUSTOMERS;

Decrypt with obfuscation: The following example query with the unprotect UDF decrypts the encrypted CUSTOMER_EMAIL column of the CUSTOMERS table using the quoted 'EMAIL' encryption scheme:

select unprotect(CUSTOMER_EMAIL, 'EMAIL' PRESENTATION_EMAIL) OPTIONAL_OUTPUT_COLUMN_FOR_OBFUSCATED_DATA from CUSTOMERS;