- Platform Release 6.5
- Privacera Platform Installation
- Privacera Platform User Guide
- Privacera Discovery User Guide
- Privacera Encryption Guide
- Privacera Access Management User Guide
- AWS User Guide
- Overview of Privacera on AWS
- Configure policies for AWS services
- Using Athena with data access server
- Using DynamoDB with data access server
- Databricks access manager policy
- Accessing Kinesis with data access server
- Accessing Firehose with Data Access Server
- EMR user guide
- AWS S3 bucket encryption
- Getting started with Minio
- Plugins
- How to Get Support
- Coordinated Vulnerability Disclosure (CVD) Program of Privacera
- Shared Security Model
- Privacera Platform documentation changelog
Overview of Privacera Encryption
Privacera Encryption enhances the data security provided by Privacera Access Management and Privacera Discovery.
You can encrypt tables, columns, rows, fields, or other data in connected systems. Even if the data are accessible by policies created in Privacera Access Management, the encrypted data cannot be seen.
Encryption can be two-way: you can encrypt the data in place and decrypt it later. Or it can be one-way: with hashing or overwriting with string literals. You can replace the original data to make it invisible and unrecoverable.
You can also completely mask data with a one-way transform.
For a graphical overview of the encryption process, see View of encryption processes.
About schemes
Privacera Encryption relies on schemes. A scheme is a combination of formats, algorithms, and scopes. There are three types of schemes:
Encryption schemes: schemes that encrypt or decrypt the data.
Presentation schemes: optional schemes that obfuscate decrypted data to a form suitable to display to authorized users.
Masking schemes: schemes that permanently transform the data one-way.
All schemes rely on the same set of encryption formats, algorithms, and scopes:
Format: defines the data type and structure to be encrypted, such as alphanumeric, credit card, email address, or social security number.
Algorithm: specifies the mathematics used to encrypt, such as AES, FPE, or SHA.
Scope: defines the extent of the data encryption, such as the first four digits, an IP domain, or all data. Scoping ALL is recommended.
A scheme policy defines access control: users who have permission to access a scheme.
For example, you might rely on a Privacera-supplied encryption scheme to protect a PII field called "EMAIL" with the following properties:
Uses
EMAILformatApplies the SHA-256 algorithm for a one-way hash
Is scoped with "masked domain" to hide the portion of the email to the right of the @ sign
You can also define your own custom encryption, presentation, and masking schemes.
View of encryption processes
This conceptual graphic with annotation shows the general process of Privacera Encryption. This same process is also illustrated in Encryption architecture and UDF flow.
The Privacera encryption process is as follows:
An endpoint is called to encrypt raw data.
The scheme policy protecting access to encryption functions is checked.
The encryption scheme encrypts the data according to its associated format, algorithm, and scope.
The data is encrypted.
An endpoint is called to decrypt the encrypted data.
The scheme policy protecting access to encryption functions is checked.
The same encryption scheme that encrypted the data is used to decrypt according to the encryption scheme's format, algorithm, and scope.
The presentation scheme obfuscates the decrypted data for presentation to the user.
Encryption architecture and UDF flow
This diagram shows the PEG architecture for viewing a record. For a description of the keys in this architecture, see Hierarchy and Types of Encryption Keys.
A user queries sensitive data.
Privacera Access Management verifies the user access privileges to the data and the key (encryption scheme) used to decrypt the data.
If the user has access privileges to both the data and key, Privacera encryption requests the Data Encryption Key (DEK) for the encryption scheme.
The Privacera Encryption Gateway (PEG) sends the Encrypted Data Encryption Key (EDEK) from the scheme to Ranger KMS to decrypt the DEK.
Ranger KMS authenticates the caller (the encryption module) and uses the KEK to decrypt EDEK and obtain the DEK.
The PEG obtains the DEK and decrypts the data.
The PEG returns the data to user.
Formats, algorithms, and scopes
In Privacera Encryption, a scheme is composed of formats, algorithms, and scopes. The formats, algorithms, and scopes associated with each scheme are described in Encryption formats, algorithms, and scopes.
The following sections explain formats, algorithms, and scopes.
Formats
A format is the data type and structure of the input data to be encrypted.
For example, the format of your input data could be:
Numeric
Date
Credit card
Social security number
Algorithms
Algorithms are the mathematics used to encrypt your data.
There are two types of algorithms:
Two-way encryption and decryption
One-way hashes
About LITERAL
One type of one-way transformation is the LITERAL replacement of data. This option replaces the specified data with the name of the tag associated with the data.
For example, if a database field is tagged as PERSON_NAME, when an encryption transform is applied as LITERAL, the field's value is replaced with PERSON_NAME.
Caution
If you use LITERAL, the original data cannot be recovered.
Scopes
Scopes define the extent of your data encryption, such as the first four digits, an IP domain, or all data.
The ALL scope is recommended as the most comprehensive treatment of the extent of the data. However, you can choose from other available scopes.
Approaches to programming
These are the general programming options with Privacera Encryption:
REST API endpoints, as described in PEG REST API on Privacera Platform
User-Defined Functions (UDFs) that rely on Privacera's crypto jar in your datasources.
Key security
For maximum security, Privacera Encryption relies on different types of encryption keys. For a description of keys, see Hierarchy and Types of Encryption Keys.