PEG Architecture and Flow

The Privacera Encryption flow can be described as follows:

  1. User queries sensitive data.

  2. The Privacera Policy engine verifies if the user has access privileges to the data and the key (encryption scheme) used to decrypt the data.

  3. If the user has access privileges to both the data and key, Privacera encryption initiates a request for DEK for the encryption scheme.

  4. PEG sends the EDEK from the scheme to Ranger KMS for decryption.

  5. Ranger KMS authenticates the caller (the encryption module) and uses the KEK to decrypt EDEK and obtain the DEK.

  6. The Privacera Encryption Gateway (PEG) obtains the DEK and decrypts the data using DEK. The PEG uses DEK only for the duration of the decryption.

  7. The PEG returns the data to user/client.

The following diagrams show the PEG architecture for adding and viewing a record: