Skip to content

Hierarchy and Types of Encryption Keys

To prevent compromise of encryption keys, key management is critical for encryption of data-at-rest and data-in-transit. The encryption keys must be secured by externalizing them into a separate Key Management System (KMS). Apache Ranger KMS is the key storage system to manage keys across Privacera services. Keys are stored in an encrypted format in the Apache Ranger KMS database. 

The key hierarchy includes the following types of keys.

img src="../assets/key_hierarchy.png" style="width:100%;height:auto" />

Master Key

The Master Key encrypts the KEKs in Apache Ranger KMS.

The Master Key is stored separately outside of the KMS database or externally on a hardware security module (HSM).

Key Encryption Key (KEK)

A KEK encrypts the Data Encryption Key (DEK).

KEKs are encrypted with the Master Key.

The KEKs are stored and managed in Apache Ranger KMS. Apache Ranger KMS manages the KEK keys to either encrypt DEKs to create Encrypted Data Encryption Keys (EDEKs) or to decrypt EDEKs.

  • If a KEK is deleted, any associated encrypted data cannot be decrypted. 
  • KEKs should be rotated at regular intervals, such as every 12 months initially. Frequency of rotation can be increased depending on how extensively the KEK is used. See Rotate Encryption Keys.

Data Encryption Key (DEK)

The Data Encryption Key (DEK) is the key that encrypts and decrypts the data.

Each encryption scheme created in the Privacera Portal is mapped to a unique DEK. The user must have key access privileges by way of a scheme policy to encrypt or decrypt data with the DEK.

The DEK is stored in an encrypted format as an Encrypted Data Encryption Key (EDEK). The key used to encrypt the DEK is managed by Apache Ranger KMS.

Encrypted Data Encryption Key (EDEK)

The EDEK is the encrypted DEK and is encrypted with a KEK. A KEK is required to decrypt an EDEK. EDEKs are stored and managed by Privacera.