Skip to main content

Privacera Documentation

Table of Contents

Get started with Encryption

Privacera Encryption enhances the data security provided by Privacera Access Management and Privacera Discovery.

You can encrypt tables, columns, rows, fields, or other data in connected systems. Even if the data are accessible by policies created in Privacera Access Management, the encrypted data cannot be seen.

Encryption can be two-way: you can encrypt the data in place and decrypt it later. Or it can be one-way: with hashing or overwriting with string literals. You can replace the original data to make it invisible and unrecoverable.

You can also completely mask data with a one-way transform.

The encryption process

The following graphic shows the general process of Privacera Encryption.

An endpoint is called to encrypt raw data, the data is encrypted, and then an endpoint is called to decrypt the encrypted data.

The Privacera encryption process is:

  1. An endpoint is called to encrypt raw data.

    1. The scheme policy protecting access to encryption functions is checked.

    2. The encryption scheme encrypts the data according to its associated format, algorithm, and scope.

  2. The data is encrypted.

  3. An endpoint is called to decrypt the encrypted data.

    1. The scheme policy protecting access to encryption functions is checked.

    2. The same encryption scheme that encrypted the data is used to decrypt according to the encryption scheme's format, algorithm, and scope.

    3. The presentation scheme obfuscates the decrypted data for presentation to the user.

Encryption architecture and UDF flow

The following diagram shows the PEG architecture for viewing a record. For a description of the keys in this architecture, see Encryption keys.

image9.png
  1. A user queries sensitive data.

  2. The Privacera Access Manager verifies the user access privileges to the data and the key (encryption scheme) used to decrypt the data.

  3. If the user has access privileges to both the data and key, Privacera encryption requests Data Encryption Key (DEK) for the encryption scheme.

  4. The Privacera Encryption Gateway (PEG) sends the Encrypted Data Encryption Key (EDEK) from the scheme to Ranger KMS to decrypt the DEK.

  5. Ranger KMS authenticates the caller (the encryption module) and uses the KEK to decrypt EDEK and obtain the DEK.

  6. The PEG obtains the DEK and decrypts the data.

  7. The PEG returns the data to user.