Encryption Module

The purpose of data encryption is to protect digital data confidentiality as it is stored and transmitted. Encryption methods support authentication, integrity, and non-repudiation.

Recommendations

• Use Ranger Key Management System (KMS)
• To install crypto, first set crypto properties, then ‘update’ portal. Do not restart portal.

Prerequisites

The associated KMS Ranger Policy user must have access to UDF and Schemes. Including the ‘LITERAL’ Format Type in the KMS scheme will result one-way encryption.

External KMS with Encryption

The master key for a scheme will be created in Ranger KMS. To use KMS, the ‘portal.crypto.ranger’ must be enabled in portal custom properties, as shown below:

privacera.portal.crypto.ranger.enabled=true

Set Crypto & KMS Settings in Cazena

1. Login to Cazena’s privacera server using an installed administrator account such as privacera-admin.

2. Open application-custom.properties for edit:

   vi \~/privacera/docker/privacera/portal/conf/application-custom.properties
   

3. Add external KMS details. In the following example, we are using Ranger KMS running on port 9292​

   privacera.portal.ranger.kms.base.url=http://${HOST_NAME}:9292/kms/v1
   privacera.portal.ranger.kms.password=${PASSWORD}
   privacera.portal.ranger.kms.username=keyadmin
   privacera.portal.ui.feature.crypto=enable
   

4. If UDF encryption is required, add the associated properties​. The default value is false.

   privacera.crypto.install.enabled=true
   

   If KMS is set, the master key for the schemes will be created in Ranger KMS. Ranger KMS is not mandatory but its recommended.

5. Delete the schemes if present and recreate the default ones. You need to do this only once.

   privacera.portal.crypto.ranger.enabled=true

Configure Optional Settings Based on Your Needs

1. Add the following properties in ** privacera-discovery-properties**.​

   If you want to use LITERAL static masking, set the value to true. The default value is false.

   privacera.discovery.rtbf.override.formattype=false
   

2. Add the following properties in ** privacera-discovery-properties**.​

   privacera.discovery.portal.baseurl=http://${CLUSTER_NAME}:6868
   privacera.discovery.portal.password=${PASSWORD}
   privacera.discovery.portal.username=padmin
   

3. Update the Portal if you want to install the crypto package.

4. Update the Discovery.

Set Up Schemes and KMS Keys

1. Login to Privacera Portal.

2. Click Anonymization and then click Schemes from the left menu.

   

Note

Delete all Schemes if any scheme is present (This step is required only one time after setting up KMS and crypto properties).

Generate System Schemes

1. Login to the Privacera Portal.

2. On the home page, expand Diagnostics and click Health Check.

3. On the Diagnostics tab, click Encryption.

   

4. Click Create for System Schemes.

5. Click Yes at the prompt.

   The System Schemes are created.

6. To verify the System Generated Schemes, click Anonymization and then click Schemes from the left menu.

   

Verify KMS Keys

Verify that KMS keys are generated in Ranger.

1. Log in to Ranger /{hostname}:6080 with username as keyadmin.

2. Click Encryption menu and then click Key Manager.

3. Select the KMS service from the drop-down list.

   

4. Once you select the KMS service, keys will be auto-populated.

   

   For example: If the system generated scheme is person_name, then the key will be pmsk_person_name.

UDF Setup in Portal

Add UDF in Hive

1. Log in to Privacera Portal.

2. On the Privacera home page, expand the Diagnostics and click the Health Check.

3. Under the Diagnostics tab, click the Encryption.

4. Click the Create for UDF - Protect, UnProtect.

5. Click Yes at the prompt.

Confirm UDF has been Added in Hive

1. SSH to the instance.

2. Do kinit for ${user}.

3. Connect to beeline.

   Example:

   beeline -u "jdbc:hive2://{hostname}:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2" -n ${user}
   

4. Describe the functions created by Privacera.

   DESCRIBE FUNCTION EXTENDED privacera.protect;

   

   DESCRIBE FUNCTION EXTENDED privacera.unprotect;

   

5. If the UDF is not created successfully then you will see the error message “Function ‘privacera.protect’ does not exist”.

   

Run Privacera UDF in Hive

1. Login to the Privacera Portal.

2. Click Anonymization and then click Schemes from left menu.

3. Click Add.

4. Create a scheme by entering the following details:

   • Scheme Name: cazena-name

   • Format type: FPE_ALPHA_NUMERIC

   • Scope: All

   • Algorithm: FPE

   

5. Click Save.

6. Check if the KMS key is generated for the scheme.

   • Log in to Ranger /{hostname}:6080 with username keyadmin.

   • Click Encryption and click the Key Manager sub-menu.

7. SSH to the instance.

8. Do kinit for ${user}.

9. Connect to beeline.​

   Example beeline -u "jdbc:hive2://{hostname}:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2" -n ${user}

10. Enter the following commands.

    select privacera.protect("I am Me" ,"cazena-name");
    select privacera.unprotect(privacera.protect("TEXT" ,"cazena-name"), "cazena-name");
    

11. Check the KMS audits on Ranger.

12. Login to Ranger /{hostname}:6080 with username keyadmin.

13. Click Audit and then click Access.

    If the UDF result is failed, then there is Denied access in Ranger KMS audits. If there is denied access, then you need to give permission to ${user}.

    

    If the UDF result is successful, the audits will be shown as Allowed.

    

Check Crypto UDF Logs.

    sudo su
    tail -f /var/log/hive/hiveserver2.log

Give Permissions to Access KMS Schemes and Keys

1. Login to Ranger /{hostname}:6080 with username as keyadmin.

2. From the Access Manager menu, click Resource Based Policies.

3. Under KMS definition, click Service.

   

4. Click the privacera keys rights policy.

   

5. Add ${user} under Select User and save the policy.

   

Encryption Using Third Party Encryption API

Create third party Schemes.

1. Login to the Privacera Portal.

2. Click Anonymization and then click Schemes from the left menu.

3. Click Add.

4. Enter the scheme details:

   • Scheme Name: US_PHONE_3rdParty

   • Format type: FPE_ALPHA_NUMERIC

   • Scope: All

   • Algorithm: AES

   • Encryption API: BOUNCY_CASTLE

   • Tag: US_PHONE_NUMBER

   

   Note

   The default Encryption API is Privacera Crypto.

5. Click Save.

Encryption and Decryption Using the REST API

The REST API used by the Privacera encryption/decryption module can be explicitly called.

Protect

• API URL: /{hostname}:6868/api/crypto/public/protect_unprotect

• Method: POST

• Body:​

  {
    "operation": "PROTECT",
    "data": "emily@ceracera.com",
    "scheme": "EMAIL",
    "user": "privacera",
  }
  

• Reponse:​

  {
    "responseStatus": "SUCCESS",
    "errorMessage": null,
    "data": "<encrypted_data>"
  }
  

Encryption and Decription Using Curl Commands

Using the curl you can post the command as given below:

• Request:​

  curl -u $PORTAL_USERNAME:$PORTAL_USER_PASSWORD -H "Content-type: application/json" -d '{"operation":"PROTECT","data":"$DATA","scheme":"$SCHEME_NAME","user":"privacera"}'  http://{hostname}:6868/api/crypto/public/protect_unprotect
  

• Sample:​

  curl -u padmin:padmin -H "Content-type: application/json" -d '{"operation":"PROTECT","data":"emily@ceracera.com","scheme":"EMAIL","user":"privacera"}' http://helloworld.privacera.us:6868/api/crypto/public/protect_unprotect
  

• Response:​

  {"responseStatus":"SUCCESS","errorMessage":null,"data":"L7*X?@KPSMotNL.TCQ"}
  

• Sample:​

  curl -u padmin:padmin -H "Content-type: application/json" -d '{"operation":"PROTECT","data":"My Phone is 856-232-9702","scheme":"US_PHONE_FORMATTED","user":"privacera"}' http://helloworld.privacera.us:6868/api/crypto/public/protect_unprotect
  

• Response:

  {"responseStatus":"SUCCESS","errorMessage":null,"data":"fZ GcdOC IF 099-020-7486"}
  

UnProtect by API

• API URL: /{hostname}:6868/api/crypto/public/protect_unprotect

• Method: POST

• Body:​

  { "operation": "UNPROTECT", "data": "", "scheme": "EMAIL", "user": "privacera", }

• Reponse:

  {
    "responseStatus": "SUCCESS",
    "errorMessage": null,
    "data": "<decrypted_data>"
  }
  

Unprotect by Curl Commands

Using curl you can call unprotect API.

• Request:​

  curl -u $PORTAL_USERNAME:$PORTAL_USER_PASSWORD -H "Content-type: application/json" -d '{"operation":"UNPROTECT","data":"$ENCRYPTED_DATA","scheme":"$SCHEME","user":"privacera"}' http://{hostname}:6868/api/crypto/public/protect_unprotect
  

• Sample:​

  curl -u padmin:padmin -H "Content-type: application/json" -d '{"operation":"UNPROTECT","data":"L7*X?@KPSMotNL.TCQ","scheme":"EMAIL","user":"privacera"}' http://helloworld.privacera.us:6868/api/crypto/public/protect_unprotect
  

• Response:​

  {"responseStatus":"SUCCESS","errorMessage":null,"data":"emily@ceracera.com"}
  

• Sample:​

  curl -u padmin:padmin -H "Content-type: application/json" -d '{"operation":"UNPROTECT","data":"210-326-1341","scheme":"US_PHONE_FORMATTED","user":"privacera"}' http://helloworld.privacera.us:6868/api/crypto/public/protect_unprotect
  

• Response:

  {"responseStatus":"SUCCESS","errorMessage":null,"data":"My Phone is 856-232-9702"}