Privacera Encryption Gateway (PEG) Overview¶
Privacera Encryption Gateway (PEG) is a centralized encryption and vaultless tokenization service designed to seamlessly integrate with modern data platforms, cloud-native applications, and analytics tools. Vaultless tokenization refers to the use of format-preserving encryption (FPE) to securely transform sensitive data without relying on a traditional token vault. PEG provides secure, policy-based encryption for sensitive data across both structured and semi-structured formats.
PEG is a stateless encryption service that enables data security teams to enforce field-level encryption, masking, and tokenization across data platforms such as Databricks, Snowflake, Redshift, and more. It is designed to meet enterprise security requirements while being scalable and developer-friendly.
Core Capabilities¶
What is Vaultless Tokenization? Vaultless tokenization refers to the process of transforming sensitive data (e.g., PII, credit card numbers) into secure tokens using format-preserving encryption (FPE) without storing the original values in a central token vault. This approach improves scalability, reduces latency, and eliminates risks related to vault compromise or availability.
- Vaultless Tokenization: Secure format-preserving encryption (FPE) without a central vault
- Support for Multiple Encryption Modes:
- Native encryption: Performed at the client or connector level
- Remote encryption: Performed at the PEG server level
- Presentation Schemes: Allow obfuscation of decrypted values using presentation formats (e.g., partial reveal)
- Masking: Redact or nullify sensitive values for specific user roles
- User and Role-based Access Control: Policies enforced via Ranger and Privacera Portal
- Integration Interfaces: REST API, UDFs, CLI tools, and pipeline processors
Architecture Overview¶
PEG consists of two main components:
-
PEG Server
- Performs encryption, decryption, and masking
- Enforces scheme-based permissions via JWT and impersonation
- Integrated with Ranger for policy management
-
Scheme Server
- Manages the lifecycle of encryption, presentation, and masking schemes
sequenceDiagram
title PEG Architecture Flow
participant User
%% Group PEG Server and RangerPlugin together
box Privacera Runtime #E3F4FF
participant PEG Server
participant RangerPlugin
end
participant Scheme Server
User->>PEG Server: Request encrypt/decrypt/mask
PEG Server->>Scheme Server: Fetch scheme details
Scheme Server-->>PEG Server: Return scheme details
PEG Server->>RangerPlugin: Validate user permissions
RangerPlugin-->>PEG Server: Permission status
PEG Server-->>User: Encrypted/Decrypted/Masked dataBenefits¶
- Centralized Policy Enforcement: Ensure consistent data protection across platforms
- Performance: PEG is stateless and horizontally scalable, ensuring low-latency encryption
- Developer-Friendly: Exposed via APIs, CLI, and connectors
- Security: No sensitive data stored. Operations are logged and auditable
- Compliance-Ready: Aligns with regulatory needs (HIPAA, GDPR, CCPA, etc.)
Where PEG Is Used¶
PEG can be used directly or via integrations with the following systems:
- Databricks: Via UDFs and masking policies
- Snowflake and Redshift: Via tokenization connectors
- File-based CLI workflows: Via FEU
- Discovery workflows: For compliance automation
- Prev topic: Encryption Key Concepts and Terminology
- Next topic: PEG Encryption Techniques