Skip to main content

Privacera Documentation

Privacera Encryption UDFs for Trino on PrivaceraCloud

This section describes how to install and configure the Privacera jar in Trino in order to use the Privacera-supplied Encryption UDFs to encrypt and decrypt data in Trino.

These encryption UDFs are defined in the Privacera Crypto jar. You don't have to define them.

Note

The protect and unprotect UDFs work properly with privacera_starburstenterprise but not with privacera_hive. Starburst has three possible configurations (Hive, System, and Hive + System), of which only the system-level has been verified.

Syntax of Privacera Encryption UDFs for Trino

The Privacera Crypto jar includes the following encryption-related UDFs. The Privacera Crypto jar also includes a mask UDF. See Privacera Encryption UDF for masking in Trino on PrivaceraCloud.

Encrypt: With the quoted '<encryption_scheme_name>', the protect UDF encrypts all values of <column_name> in <table_name>:

select protect(<column_name>, <encryption_scheme_name>) from <table_name>;

Decrypt: With the quoted '<encryption_scheme_name>', the unprotect UDF decrypts all values of <column_name> in <table_name>:

select unprotect(<column_name>, '<encryption_scheme_name>') from <table_name>;

Decrypt with obfuscation: With the quoted '<encryption_scheme_name>', the unprotect UDF decrypts all values of <column_name>, further obfuscates the decrypted data via <presentation_scheme_name>, and and writes the decrypted, obfuscated data to <optional_column_name_for_obfuscated_data> in <table_name>:

select unprotect(<column_name>, '<encryption_scheme_name>' <optional_column_name_for_obfuscated_data>) from <table_name>;

For example usage, see Example Queries to Verify Privacera-supplied UDFs.

Prerequisites for installing Privacera Crypto plug-in for Trino

The following should already be ready:

  • A fully functional installation of Trino. In these examples, the location of the installed Trino software is shown as <absolute_path_to_trino_home_directory>.

  • The users who will use the UDFs have sufficient access to the pertinent tables.

Download and install Privacera Crypto jar

To install the Privacera Crypto jar file in Trino:

  1. In your PrivaceraCloud account, go to Settings > API Key.

  2. Under the PEG heading, for PEG Crypto Starburst Trino Jar, click DOWNLOAD JAR.

    Alternatively, click COPY URL, and use that URL with wget on the command line of your Trino instance.

  3. Save the jar file.

  4. Copy the jar file to your Trino instance plugins/privcera directory, which you should create if it does not already exist.

Set variables in Trino etc/crypto.properties

Create a file in Trino called etc/crypto.properties in one of the following locations:

  • For non-container deployment: <absolute_path_to_trino_home_directory>/etc/crypto.properties.

  • For container deployment: /data/starburst/etc/crypto.properties.

Add the following properties to the file, where:

  • <PrivaceraCloud_Encryption_URL> is obtained by clicking the Copy Url link in Settings > Api Key

  • <PrivaceraCloud_Encryption_Username> and <PrivaceraCloud_Encryption_Password> are obtained from Settings > Account. Under the PRIVACERA ENCRYPTION heading, click Edit to display the Privacera Encryption Configuration popup window with the username and password.

privacera.crypto.native.threadpool.size=100
privacera.crypto.shared.secret=secret
privacera.crypto.session.cache.size=1000
privacera.deployment.mode.saas=true
privacera.peg.base.url=<PrivaceraCloud_Encryption_URL>
privacera.peg.username=<PrivaceraCloud_Encryption_Username>
privacera.peg.password=<PrivaceraCloud_Encryption_Password>

Restart Trino to register the Privacera encryption and masking UDFs for Trino

# Go to Trino bin directory
cd <absolute_path_to_trino_home_directory>/bin
# Restart Trino
./launcher restart

Example queries to verify Privacera-supplied UDFs

See the syntax detailed in Syntax of Privacera Encryption UDFs for Trino.

Encrypt: The following example query with the protect UDF encrypts the cleartext CUSTOMER_EMAIL column of the CUSTOMERS table using the quoted'EMAIL' encryption scheme:

select protect(CUSTOMER_EMAIL, `EMAIL`) from CUSTOMERS;

Decrypt: The following example query with the unprotect UDF decrypts the encrypted CUSTOMER_EMAIL column of the CUSTOMERS table using the quoted 'EMAIL' encryption scheme:

select unprotect(CUSTOMER_EMAIL, 'EMAIL') from CUSTOMERS;

Decrypt with obfuscation: The following example query with the unprotect UDF decrypts the encrypted CUSTOMER_EMAIL column of the CUSTOMERS table using the quoted 'EMAIL' encryption scheme:

select unprotect(CUSTOMER_EMAIL, 'EMAIL' PRESENTATION_EMAIL) OPTIONAL_OUTPUT_COLUMN_FOR_OBFUSCATED_DATA from CUSTOMERS;