Skip to content

PEG and Key Management (Azure Key Vault)

Privacera Encryption Gateway (PEG) use Azure Key Vault to protect encryption keys. The Data Encryption Key (DEK), or scheme key, is encrypted using Azure Key Vault; Scheme Server only calls Azure Key Vault to encrypt or decrypt the scheme key and stores only the encrypted scheme key in the Metadata DB. The master key is never returned or exposed. For configuring master key storage, see Master Key Storage.

Sequence flow: PEG with Azure Key Vault

The following sequence describes how protect, unprotect, and mask operations flow between a client application, PEG, the Scheme Server, the metadata store, and Azure Key Vault. The client can be any supported platform (for example, Databricks, Snowflake or custom application).

sequenceDiagram
    box Privacera Environment
        participant APP as Client Application
        participant PEG as PEG Server
        participant SS as Scheme Server
        participant DB as Metadata DB
        participant KV as Azure Key Vault
    end

    APP->>PEG: Protect, Unprotect, or Mask (JWT)
    PEG->>SS: Get Scheme

    SS->>DB: Fetch Scheme Metadata
    DB-->>SS: Scheme and Encrypted DEK
    Note right of DB: Encrypted DEK stored in DB

    SS->>KV: Decrypt encrypted scheme key
    Note right of KV: Operation in Key Vault, master key never exposed
    KV->>KV: Decrypt using master key
    KV-->>SS: Plaintext scheme key

    SS-->>PEG: Scheme Metadata

    PEG->>PEG: Protect, Unprotect, or Mask
    PEG-->>APP: Protected or Unprotected or Masked Data

Key points:

  • Client Application sends protect/unprotect/mask requests to PEG Server (authenticated via JWT).
  • PEG asks the Scheme Server for the encryption scheme.
  • Scheme Server loads scheme metadata and the encrypted scheme key (DEK) from the Metadata DB. The Scheme Server then calls Azure Key Vault to decrypt the scheme key. Azure Key Vault performs the cryptographic operation internally; the master key never leaves Azure Key Vault and is never exposed.
  • Scheme Server returns scheme metadata to PEG server for the operation.
  • PEG performs encryption/decryption/masking at runtime and returns the result to the client.

Azure Key Vault integration

When PEG is configured to use Azure Key Vault for key management:

  • The master key is managed by Azure Key Vault and never leaves the Key Vault.
  • PEG calls Azure Key Vault to encrypt or decrypt the scheme key. Only the encrypted scheme key (DEK) is stored in the Metadata DB.
  • The Scheme Server runs in an environment that has Azure AD–based access to the Key Vault (managed identity or service principal).
  • Key hierarchy: Azure Key Vault holds the master key and performs encrypt/decrypt of the scheme key; the Metadata DB stores only the encrypted scheme key.