Skip to content

Privacera Encryption - Setup

Enabling Privacera Encryption Gateway (PEG)

To enable PEG, copy vars.peg.yml from sample-vars to custom-vars:

Bash
1
2
cd ~/privacera/privacera-manager
cp -n config/sample-vars/vars.peg.yml config/custom-vars/

To configure PEG Shared Secret, update vars.peg.yml in custom-vars:

Bash
1
vi config/custom-vars/vars.peg.yml

Important

The PEG Shared Secret is a passwprd used by the Privacera Encryption Gateway (PEG) to safely share encryption keys with trusted systems like Databricks or Streamsets. It ensures that only approved systems can access sensitive data for encryption or decryption.

By using this shared secret, PEG adds an extra layer of protection, helping to keep your data secure during transfer between services.

We recommend to set a strong password for peg-server

Bash
1
PEG_V2_SHARED_SECRET: "<PLEASE_CHANGE>"

Master Key Storage

Critical

The Master Key, once set, CANNOT be changed. Choose your storage method and key carefully as this is a permanent configuration decision.

Important

  • To ensure secure storage of scheme keys in a database, it is essential to configure a Master Key Storage that determines the storage location of the master key.
  • This key is responsible for encrypting scheme keys before storing them and decrypting them when accessed for reading.
  • Only one type of storage can be configured at a time to maintain consistency and avoid conflicts.

To configure Master Key Storage, copy vars.peg-master-key-storage.yml from sample-vars to custom-vars:

Bash
1
2
3
cp config/sample-vars/vars.peg-master-key-storage.yml config/custom-vars/

vi config/custom-vars/vars.peg-master-key-storage.yml

Configure master key storage in Database by setting these properties:

Bash
1
2
3
4
5
6
7
8
SCHEME_SERVER_MASTER_KEY_STORAGE: "DB"

# Master Key password
#####################################################################
# DB Configuration
#####################################################################
SCHEME_SERVER_MASTER_KEY_PASSWORD: "<PLEASE_CHANGE>"
SCHEME_SERVER_SHARED_SECRET: "<PLEASE_CHANGE>"

Tip

To ensure maximum security, we recommend creating a strong password for the scheme-server.

Configure master key storage in Azure Key Vault by setting these properties:

Bash
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
SCHEME_SERVER_MASTER_KEY_STORAGE: "AZURE"

#####################################################################
# Azure Key Vault Configuration
#####################################################################
SCHEME_SERVER_AZURE_VAULT_CLIENT_ID : "<PLEASE_CHANGE>"
SCHEME_SERVER_AZURE_VAULT_CLIENT_SECRET : "<PLEASE_CHANGE>"
SCHEME_SERVER_AZURE_VAULT_AZURE_KEY_VAULT_URL : "<PLEASE_CHANGE>"
SCHEME_SERVER_AZURE_VAULT_AZURE_MASTER_KEY : "<PLEASE_CHANGE>"
SCHEME_SERVER_AZURE_VAULT_AZURE_MASTER_KEY_TYPE : "<PLEASE_CHANGE>"
SCHEME_SERVER_AZURE_VAULT_ZONE_KEY_ENCRYPTION_ALGO : "<PLEASE_CHANGE>"
SCHEME_SERVER_AZURE_KEYVAULT_CLIENT_CERT_FILE: "<PLEASE_CHANGE>"
#SCHEME_SERVER_AZURE_KEYVAULT_CLIENT_CERTIFICATE_PASSWORD: "<PLEASE_CHANGE>"

PEG_SERVER_AZURE_VAULT_CLIENT_ID : "<PLEASE_CHANGE>"
PEG_SERVER_AZURE_VAULT_CLIENT_SECRET : "<PLEASE_CHANGE>"
PEG_SERVER_AZURE_VAULT_AZURE_KEY_VAULT_URL : "<PLEASE_CHANGE>"
PEG_SERVER_AZURE_VAULT_AZURE_MASTER_KEY : "<PLEASE_CHANGE>"
PEG_SERVER_AZURE_VAULT_AZURE_MASTER_KEY_TYPE : "<PLEASE_CHANGE>"
PEG_SERVER_AZURE_VAULT_ZONE_KEY_ENCRYPTION_ALGO : "<PLEASE_CHANGE>"
PEG_SERVER_AZURE_KEYVAULT_CLIENT_CERT_FILE: "<PLEASE_CHANGE>"
#PEG_SERVER_AZURE_KEYVAULT_CLIENT_CERTIFICATE_PASSWORD: "<PLEASE_CHANGE>"

For creating an Azure Key Vault, follow the instructions at Azure Key Vault Setup.

For advanced configuration, follow the link Click here.

Run the Privacera Manager installation scripts to initiate the installation process and install all the services based on the defined configurations:

Bash
1
2
3
4
cd ~/privacera/privacera-manager
./privacera-manager.sh setup
./pm_with_helm.sh upgrade
./privacera-manager.sh post-install

Comments