Skip to content

Encryption Techniques

Privacera Encryption supports a variety of encryption techniques to meet diverse data protection requirements across different platforms and regulatory landscapes. These techniques are implemented through its components, including the Privacera Encryption Gateway (PEG), and are used in both native (client-side) and remote (server-side) encryption workflows.

Encryption algorithms and formats are defined in schemes, which are the core of Privacera Encryption. You can refer to the Schemes Management section for more details on how to create and manage schemes.

Format-Preserving Encryption (FPE)

Privacera Encryption uses Format-Preserving Encryption (FPE) as the foundational technique for its vaultless tokenization model. FPE transforms sensitive data while retaining its original format, making it compatible with existing database schemas and applications.

Examples:

  • Credit card number 4111-1111-1111-1111 becomes 8121-1423-1882-7324
  • Social Security Number 123-45-6789 becomes 935-14-3842

Benefits:

  • No schema changes required
  • Ideal for partial encryption and selective reveal via presentation schemes

Data Masking

Masking is a non-reversible operation that hides sensitive values based on user permissions. Privacera Encryption supports multiple masking formats:

  • Redaction (e.g., replacing with X or *)
  • Nullification (returning NULL or blank)
  • Hashing (one-way transformation using cryptographic hash functions)

Common use cases for hashing: * Password storage and verification * Data integrity checks * Generating unique identifiers while preserving privacy

Masking can be:

  • Manually applied using UDFs
  • Automatically applied via resource- or tag-based masking policies

Algorithm Support

Privacera provides pluggable support for various encryption algorithms, with the default being FPE. Algorithms can be defined in:

  • Custom schemes created via UI or APIs
  • System schemes for common data types (e.g., SSN, Email, Credit Card)

Supported algorithm types include:

  • Format-Preserving Encryption (FPE)
  • Advanced Encryption Standard (AES)
  • SHA-256 (for hashing)

Field-Level Encryption

Field-level encryption allows users to protect specific columns or fields (e.g., SSN, email, name) rather than encrypting the entire record or file.

  • Applied via REST API, UDFs, or integration connectors
  • Policies can be scoped to users, groups, or roles using Ranger
  • Field-to-scheme mapping defined in meta files or masking policies

Encryption Modes

Privacera Encryption supports two primary modes of performing encryption:

Native Encryption

  • Performed at the data source or connector level (e.g., FEU, Databricks UDF)
  • Suitable for secure ETL processes requiring high performance
  • Encryption key is provided to the service user in the process
  • Best for trusted platforms where key security can be maintained

Remote Encryption

  • Handled by the central Privacera Encryption Gateway (PEG) server via REST API
  • Encryption keys never leave PEG, providing enhanced security
  • Offers centralized auditing and scheme enforcement
  • Recommended for scenarios requiring strict key protection

Comments