Skip to main content

Privacera Documentation

Encryption keys

Key management is a critical part of preventing the compromise of your encryption keys for both data-at-rest and data-in-transit. Encryption keys must be secured by storing them in a separate Key Management System (KMS). Privacera uses Apache Ranger KMS, where keys are stored in an encrypted format.

Privacera Encryption uses the following types of encryption keys:

Types of encryption keys. The Master Key encrypts the Key Encryption Key, which encrypts the Data Encryption Key to produce the Encrypted Data Encryption Key.

Master Key

The Master Key encrypts the Key Encryption Keys (KEK).

The Master Key is stored outside of the KMS database or externally on a hardware security module (HSM).

Key Encryption Key (KEK)

A KEK encrypts the Data Encryption Key (DEK). The Master Key encrypts KEKs.

KEKs are stored in Apache Ranger KMS. Apache Ranger KMS uses the KEKs to:

  • Encrypt DEKs to create Encrypted Data Encryption Keys (EDEKs)

  • Decrypt EDEKs

Manage Key Encryption Keys (KEKs) on Privacera Platform

If you delete a KEK, all of the associated encrypted data cannot be decrypted.

KEKs should be rolled over at regular intervals, such as every 12 months. You can increase the frequency depending on how extensively the KEK is used. For more information, see Rollover encryption keys on Privacera Platform.

Data Encryption Key (DEK)

The Data Encryption Key (DEK) encrypts and decrypts your data.

Each encryption scheme created in the Privacera Portal is mapped to a unique DEK. The user must have key access privileges by way of a scheme policy to encrypt or decrypt data with the DEK.

The DEK is stored in an encrypted format as an Encrypted Data Encryption Key (EDEK). The key used to encrypt the DEK is managed by Apache Ranger KMS.

Encrypted Data Encryption Key (EDEK)

The EDEK is the encrypted DEK and is encrypted with a KEK. A KEK is required to decrypt an EDEK. EDEKs are stored and managed by Privacera.