Skip to main content

Privacera Platform

Table of Contents

Encryption Key Management


Types of encryption keys

Key management is a critical part of preventing the compromise of your encryption keys for both data-at-rest and data-in-transit. Encryption keys must be secured by storing them in a separate Key Management System (KMS). Privacera uses Apache Ranger KMS, where keys are stored in an encrypted format.

Privacera Encryption uses the following types of encryption keys:

Types of encryption keys. The Master Key encrypts the Key Encryption Key, which encrypts the Data Encryption Key to produce the Encrypted Data Encryption Key.
About the Master Key

The Master Key encrypts the Key Encryption Keys (KEK) in Apache Ranger KMS.

The Master Key is stored outside of the KMS database or externally on a hardware security module (HSM).

About the Key Encryption Key (KEK)

A KEK encrypts the Data Encryption Key (DEK). The Master Key encrypts KEKs.

You store and manage KEKs in Apache Ranger KMS. Apache Ranger KMS uses the KEKs to:

  • Encrypt DEKs to create Encrypted Data Encryption Keys (EDEKs)

  • Decrypt EDEKs

If you delete a KEK, all of the associated encrypted data cannot be decrypted.

KEKs should be rolled over at regular intervals, such as every 12 months. You can increase the frequency depending on how extensively the KEK is used. For more information, see Rollover encryption keys.

About the Data Encryption Key (DEK)

The Data Encryption Key (DEK) encrypts and decrypts your data.

Each encryption scheme created in the Privacera Portal is mapped to a unique DEK. The user must have key access privileges by way of a scheme policy to encrypt or decrypt data with the DEK.

The DEK is stored in an encrypted format as an Encrypted Data Encryption Key (EDEK). The key used to encrypt the DEK is managed by Apache Ranger KMS.

About the Encrypted Data Encryption Key (EDEK)

The EDEK is the encrypted DEK and is encrypted with a KEK. A KEK is required to decrypt an EDEK. EDEKs are stored and managed by Privacera.

Rollover encryption keys

Privacera uses Apache Ranger to encrypt data. You can rollover encryption keys from the Apache Ranger UI or using the REST API /keys/key. If a key was used to encrypt several terabytes of data, it would be computationally intensive and time-consuming to rollover the keys. During the key rollover process, which first decrypts the data using existing keys and then re-encrypts the data using the new keys, your data is not available.

To overcome this challenge, Privacera encrypts Data Encryption Keys (DEKs) that are used to encrypt the data. A separate set of keys called Key Encryption Keys (KEKs) are used to encrypt the DEKs. The term “rollover” means rotating the KEKs instead of the DEKs. Even if you have ten thousand keys, the process to rotate the KEKs can be completed extremely fast.

To rollover encryption keys using Apache Ranger, follow these steps:

  1. Login to Ranger at https://<your_privacera_hostname>:6080 using “keyadmin” credentials.

  2. Hover your cursor over the Encryption menu item and select Key Manager.

  3. From the Select Service dropdown menu, select privacera_kms.

    The current key entries are displayed.

  4. Click the pencil icon for the key you want to rollover.

  5. Click OK rollover.

    The Ranger rollover Key API is called, which decrypts the DEKs that were encrypted using the previous key, creates a new key, and encrypts the DEKs using the newly generated key.

Ranger KMS with Azure Key Vault

For information about working with the Ranger Key Management System (KMS) and the Azure Key Vault (AKV), see the following: