- Platform Release 6.5
- Privacera Platform Installation
- Privacera Platform User Guide
- Privacera Discovery User Guide
- Privacera Encryption Guide
- Privacera Access Management User Guide
- AWS User Guide
- Overview of Privacera on AWS
- Configure policies for AWS services
- Using Athena with data access server
- Using DynamoDB with data access server
- Databricks access manager policy
- Accessing Kinesis with data access server
- Accessing Firehose with Data Access Server
- EMR user guide
- AWS S3 bucket encryption
- Getting started with Minio
- Plugins
- How to Get Support
- Coordinated Vulnerability Disclosure (CVD) Program of Privacera
- Shared Security Model
- Privacera Platform documentation changelog
Install Privacera Encryption
Encryption deployment specifications
These are the minimal specifications for running Privacera Encryption in production.
Hardware
Hardware | Minimum Configuration |
|---|---|
Number of CPUs | 32 |
RAM | 32 GB |
Network bandwidth | 10 Gbps |
Software and server configuration
These are the specifications and configurations for Privacera Encryption software components.
Tomcat and Privacera Encryption settings
To configure Tomcat and Privacera Encryption, you must set properties in the following variable file:
~/privacera/privacera-manager/config/custom-vars/vars.peg.yml
In the variable file, set the following properties:
PEG_SERVER_TOMCAT_MAX_THREADS: "1024" PEG_SERVER_TOMCAT_CONNECTION_TIMEOUT: "20s" PEG_SERVER_TOMCAT_MAX_CONNECTIONS : "1200" PEG_SERVER_TOMCAT_MIN_SPARE_THREADS: "200" PEG_SERVER_TOMCAT_ACCEPT_COUNT: "1000" PRIVACERA_PEG_CONNECTIONPOOL: "500"
After setting these properties, you must update Privacera Manager.
Operational specifications
These specifications relate to the operational use of Privacera Encryption.
Batch together the elements in the PEG REST API endpoints in the datalist JSON array of the /protect or /unprotect request.
Minimum batch size: 2,000 elements per request.
Maximum recommended batch size: 15,000.
Maximum number of requests: 1,800.
Note
Network latency can impact performance. Your network architecture should be optimized.
Installation Steps
Privacera Encryption and the Privacera Encryption Gateway (PEG) are enabled in the Privacera Manager.
Follow the instructions in the links below to install and enable the Privacera Manager components for encryption.
Provide user access to Ranger KMS
To provide user access to the keys needed for encryption, you must create a policy in Apache Ranger KMS. To do so, follow these steps:
Log in to the Ranger portal and select Access Manager > Resource Based Policies.
In the KMS section, click privacera_kms.
In the List of Policies: privacera_kms section, click Add New Policy.
In the Create Policy screen, enter the following information to create a policy and provide access to the user:
Policy Name: Enter the access policy name.
Policy Label: Enter a label name (optional).
Key Name: Type a character to list the existing key names that are already generated in Ranger.
Description: Enter a description for the policy.
Audit Logging: Toggle Yes or No.
In the Allow Conditions section, select the following:
Select Role: Enter or select from existing roles.
Select Group: Enter or select from existing group.
Select User: This is the username that will be used in the encryption API - select or enter a new user name.
Add Permissions: Select user permissions - Create, Delete, Rollover, Set Key Material, Get, Get Keys, Get Metadata, Generate EEK, Decrypt EEK, Select/Deselect All.
Delegate Admin: If this user is delegate as the admin.
Similarly, for specific users, you can select users to Exclude from Allow Conditions, Deny Conditions, Exclude from Deny Conditions.
Click Add to save the policy.
Provide user access for Encryption Service
To set user access for the Encryption Service in the Apache Ranger KMS, follow these steps:
Log in to the Ranger portal.
In the Access Manager tab, select
privacera_kmspolicy.Click the edit button next to the all - key policy.
In the Allow Conditions section, search and select
privacera_service_discoveryuser from the Select User dropdown menu.
Enable telemetry data collection
By default, the collection of telemetry data about the use of the Privacera Encryption Gateway (PEG) is disabled.
To enable telemetry data collection, follow these steps:
Copy the
vars.peg.ymlconfiguration file tocustom-vars/:cd ~/privacera/privacera-manager cp config/sample-vars/vars.peg.yml config/custom-vars/ vi config/custom-vars/vars.peg.yml
Edit the following properties in
vars.peg.yml. For a list of custom properties that can be configured for the Solr service, see Solr.PRIVACERA_PEG_SOLR_METRICS_ENABLE:"true" PRIVACERA_PEG_SOLR_URL:"<PLEASE_CHANGE>" PRIVACERA_PEG_SOLR_BASIC_AUTH_ENABLED:"<PLEASE_CHANGE>" PRIVACERA_PEG_SOLR_USER:"<PLEASE_CHANGE>" PRIVACERA_PEG_SOLR_PASSWORD:"<PLEASE_CHANGE>" PRIVACERA_PEG_SOLR_ZOOKEEPER_URL:"<PLEASE_CHANGE>" PRIVACERA_PEG_SOLR_COLLECTION:"<PLEASE_CHANGE>" PRIVACERA_PEG_SOLR_UPDATE_INTERVAL_SECONDS:"<PLEASE_CHANGE>"
Restart Privacera Manager:
./privacera-manager.sh update
Telemetry data collection is enabled.