Skip to main content

PrivaceraCloud Documentation

Overview of Privacera Encryption


Privacera Encryption enhances the data security provided by Privacera Access Management and Privacera Discovery.

You can encrypt tables, columns, rows, fields, or other data in connected systems. Even if the data are accessible by policies created in Privacera Access Management, the encrypted data cannot be seen.

Encryption can be two-way: you can encrypt the data in place and decrypt it later. Or it can be one-way: with hashing or overwriting with string literals. You can replace the original data to make it invisible and unrecoverable.

You can also completely mask data with a one-way transform.

For a graphical overview of the encryption process, see View of encryption processes.

About schemes

Privacera Encryption relies on schemes. A scheme is a combination of formats, algorithms, and scopes. There are three types of schemes:

All schemes rely on the same set of encryption formats, algorithms, and scopes:Privacera-supplied schemes

  • Format: defines the data type and structure to be encrypted, such as alphanumeric, credit card, email address, or social security number.

  • Algorithm: specifies the mathematics used to encrypt, such as AES, FPE, or SHA.

  • Scope: defines the extent of the data encryption, such as the first four digits, an IP domain, or all data. Scoping ALL is recommended.

A scheme policy defines access control: users who have permission to access a scheme.

For example, you might rely on a Privacera-supplied encryption scheme to protect a PII field called "EMAIL" with the following properties:

  • Uses EMAIL format

  • Applies the SHA-256 algorithm for a one-way hash

  • Is scoped with "masked domain" to hide the portion of the email to the right of the @ sign

You can also define your own custom encryption, presentation, and masking schemes.