Skip to content

Core Ideas and Terminology

Privacera Encryption enhances the data security provided by Privacera Access Manager and Privacera Discovery.

You can encrypt tables, columns, rows, fields, or other data in connected systems. Even if the data are accessible by policies created in Privacera Access Manager, the encrypted data cannot be seen.

Encryption can be two-way: you can encrypt the data in place and decrypt it later. Or it can be one-way: with hashing or overwriting with string literals, you can replace the original data to make it invisible and unrecoverable.

Essential Encryption Terminology#

For a conceptual view of these terms in action, see Graphical View of Processes.

Privacera Encryption relies on schemes:

  • A scheme policy defines access control: who can use Privacera encryption and decryption.

  • A scheme is a combination of formats, algorithms, and scopes. There are two types of schemes:

    • Encryption schemes encrypt or decrypt the data.
    • Optional presentation schemes obfuscate decrypted data to a form suitable for displaying to authorized users.

    Both encryption schemes and presentation schemes rely on the same set of formats, algorithms, and scopes.

    • An input data format defines the data type and structure to be encrypted, such as alphanumeric, credit card, email address, or social security number.

    • An encryption algorithm specifies the mathematics used to encrypt, such as AES, FPE, or SHA.

    • A scope defines the extent of the encryption on the data, such as the first four digits, a regex, an IP domain, or all data. Scoping ALL is recommended.

For example, you might rely on a Privacera-supplied encryption scheme to protect a PII field called "EMAIL". The scheme:

  • Uses EMAIL format.
  • Applies the SHA-256 algorithm for a one-way hash.
  • Is scoped with a regular expression to encrypt the characters to the left of the email address's @ sign.

You can also define your own custom encryption and presentation schemes.

Key Security#

For maximum security, Privacera Encryption relies on different types of encryption keys, including a master key and the keys derived from it.

For a description of keys, see Hierarchy and Types of Keys.

By default, keys are stored in Privacera's Ranger Key Management System (KMS), except for the master key, which is stored externally from the KMS or on a hardware storage module.

Keys can also be stored in the Azure Key Vault.