Skip to content

Encryption Schemes

Encryption schemes are used to encrypt and decrypt data. They provide two-way transformation, allowing encrypted data to be decrypted when needed by authorized users. Each scheme contains a unique encryption key used to encrypt and decrypt the data, which is generated and managed by Privacera Encryption.

Default Encryption Schemes

The following is a table of the Privacera-supplied system encryption schemes, which are enabled by default. The name of a scheme generally describes the type of data the scheme is designed to encrypt.

Scheme Name Format Algorithm Scope Description
SYSTEM_CREDITCARD CC FPE All Encrypts credit card numbers while preserving format
SYSTEM_US_PHONE_FORMATTED Text AlphaNumeric All Encrypts US phone numbers while maintaining format
SYSTEM_ACCOUNT Text AlphaNumeric All Encrypts account numbers and identifiers
SYSTEM_EMAIL Email FPE All Encrypts email addresses while preserving format
SYSTEM_ADDRESS Text Standard All Encrypts address information
SYSTEM_SSN SSN FPE All Encrypts Social Security Numbers while preserving format
SYSTEM_PERSON_NAME Text FPE All Encrypts person names while maintaining format

Format-Preserving Encryption (FPE) Considerations

Numeric Formats with FPE Algorithm

For a scheme with a numeric format type and FPE algorithm:

  • The numeric data passed to /protect and /unprotect endpoints must be a string
  • The encrypted output must be stored as a string to preserve format and length
  • Example: Encrypting a number via FPE like 123456 might result in output like 027931

Notes for Numeric Formats

  • If the string contains non-numeric characters, the FPE algorithm will retain those characters in the encrypted output. E.g. 123-45-6789 might become 027-93-1482.
  • The length of the encrypted output will match the length of the input string. If the output length is not the same, it will be padded with 0 or 1 to match the input length. E.g. 123456 might become 027931.

Alphanumeric Formats with FPE Algorithm

For a scheme with an alphanumeric format type and FPE algorithm, the length of the output will match the length of the input string. E.g. abc123 might become pqrxyz. In the default scheme, only alphanumeric characters are allowed in the input string, and they are the following: 0-9, a-z, A-Z.

Single Character Limitations

The FPE algorithm has limitations with single characters:

  • Cannot encrypt single characters (e.g., 'a', '8', 'ñ')
  • Can be configured to either:
    • Skip encryption and return the original value
    • Skip encryption and return an empty value (non-recoverable)

Special Characters

Privacera Encryption's format‑preserving schemes (FPE) primarily supports ASCII letters (A–Z, a–z) and digits (0–9). Any input containing accented letters (for example, the ó in Adiós), punctuation, emojis, or other non‑ASCII symbols falls outside that set and cannot be processed by FPE. If you feed such values into an FPE scheme, Privacera Encryption will skip or flag them as invalid.

Recommended scheme configuration for handling special characters: - Format type: ALPHANUMERIC - Algorithm: ALPHANUMERIC/STANDARD/STANDARD_256_BIT - Scope: ALL

Invalid Input Handling

When using FPE algorithm:

  • Data must match the format type specified in the scheme
  • Invalid data can be configured to:
    • Return the original value
    • Return an empty value (non-recoverable)
    • Throw an error

This is currently a system-wide setting and not configurable per scheme.

Refer to the Privacera Encryption Configuration for more details.

Data Validation

Data validation can be enabled at the scheme level to provide custom error handling for invalid values. When enabled:

  1. Invalid values are replaced with predefined error codes
  2. Error codes are preserved during decryption
  3. Supported by various connectors including:
    • FEU
    • Streamset
    • Databricks

For detailed guidance on handling invalid data and enabling custom error handling, refer to the Data Validation documentation for more information.

Creating Custom Encryption Schemes

To create custom encryption schemes in the Privacera Portal: 1. From the navigation menu, select Encryption & Masking > Encryption & Masking.

  1. Click ADD SCHEME to add a new scheme.

  2. Enter the following details:

  3. Name: name of the scheme
  4. Description: a description of the scheme
  5. Encryption API: PRIVACERA (default) or BOUNCY_CASTLE (Deprecated)
  6. Format type: encryption format type (e.g., FPE_ALPHA_NUMERIC, alphanumeric)
  7. Scope: all (recommended)
  8. Algorithm: encryption algorithm (e.g., AlphaNumeric, FPE, Hash, Tokenization, Standard 256 bit, SHA_256 Hash)
  9. Data Validation: toggle to enable custom error handling when encountering invalid values
  10. Non-deterministic encrypted data: toggle to enable non-deterministic behavior

Important

  • Enabling non-deterministic encryption introduces randomness (such as a unique initialization vector) for each encryption operation.
  • This means the same input will produce a different encrypted value every time, making it much harder to detect patterns or reverse-engineer sensitive data.
  1. Click Save.

⚠ Important Notes

  1. Once the scheme is created, it cannot be modified.
  2. If the scheme is deleted, all data encrypted with that scheme will be unrecoverable.

Best Practices

  1. Scheme Naming: Use clear, descriptive names that indicate the purpose and data type
  2. Scope Selection: Use "All" scope unless specific partial encryption is required
  3. Data Validation: Enable data validation for better error handling and debugging
  4. Format Matching: Ensure data format matches the scheme's format type
  5. Key Management: Let Privacera manage encryption keys for better security
  6. Testing: Test schemes with various data formats before production use

Comments