Skip to content

Privacera Schemes Overview

Privacera Encryption relies on schemes to define how sensitive data should be encrypted, masked, or obfuscated. A scheme is a reusable policy component that defines encryption behavior using a combination of format, algorithm, and scope. It allows granular control over how data is protected and displayed, ensuring flexibility, security, and compliance.

Each scheme contains a unique encryption key used to encrypt and decrypt the data. This key is generated and managed by the Scheme Server.

Types of Schemes

Privacera supports three primary types of schemes:

Encryption Schemes

Privacera Encryption supports deterministic encryption, where the same input value always produces the same encrypted output within a given scheme. This enables operations like equality comparison, joins, and lookups on encrypted data.

Privacera Encryption supports defining multiple encryption schemes for the same data type, enabling different encrypted outputs for the same input value based on the scheme used. This capability allows organizations to implement secure data sharing and isolation strategies through scheme configuration. For example, different schemes can be used to encrypt customer data for different business units or to maintain separate encrypted datasets for development and production environments.

Examples:

  • SYSTEM_EMAIL (Default email encryption scheme)
  • SYSTEM_SSN (Default SSN encryption scheme)
  • CUSTOMER_SSN (custom scheme for customer SSN)

Use Cases:

  • Deterministic schemes: Suitable for searchable and joinable fields like email or SSN
  • Multiple schemes: Useful for separating environments (e.g., dev vs. prod) or applications

Presentation Schemes

Privacera Encryption supports presentation schemes to allow for controlled decryption outputs. Presentation schemes can either:

  1. Apply masking patterns directly to decrypted values:

    • Reveal last 4 digits of an SSN (XXX-XX-1234)
    • Show masked email domain (x***@example.com)

  2. Re-encrypt data using a different scheme:

    • Original value encrypted with scheme A is decrypted, then re-encrypted with presentation scheme B
    • Example: Credit card number encrypted with PROD_CC_SCHEME is re-encrypted with FRAUD_CC_SCHEME that allows fraud analysts to use card number for investigation and also compare and check with other uses

Presentation schemes are useful for:

  • Reducing exposure of decrypted values
  • Supporting use cases like customer service and fraud detection
  • Providing different views of sensitive data based on user roles or business needs
  • Implementing data segregation between departments or applications

Masking Schemes

One-way data transformation techniques that irreversibly obfuscate the original value. Commonly used for privacy enforcement when data should never be revealed.

Examples:

  • mask_ssn (shows only last 4 digits)
  • mask_email (show only domain, but hash the rest)

Components of a Scheme

Each scheme whether encryption, presentation, or masking shares a common structure defined by the following elements:

Format

Specifies the data type or structure of the input value. Examples include:

  • Alphanumeric
  • SSN
  • Email address
  • Credit card

Algorithm

Defines the cryptographic technique applied to the data:

Scope

Determines the extent or granularity of encryption or masking:

  • ALL: Full value is encrypted
  • PARTIAL: Only part of the value is encrypted or masked (e.g., domain only, first N characters)

Best Practice

Use ALL for maximum protection unless partial visibility is required.

Supported Formats and Algorithms

The following encryption schemes can be used with the Privacera API:

Format Type Algorithms Scopes Description
SSN FPE ALL, LAST_4_DIGITS U.S. Social Security Number (full or last‑4 only)
CC FPE ALL, FIRST_4_DIGITS, LAST_4_DIGITS Credit Card number (full or partial masking)
DATE FPE ALL Full date
DATE_DD_MM FPE ALL Day‑month only date
EMAIL FPE ALL, USERNAME_AT_MASKED_DOMAIN, MASKED_USERNAME_AT_DOMAIN Email address (full or partial user/domain masking)
IP FPE ALL IPv4 or IPv6 address
HOST_DOMAIN FPE, STANDARD, STANDARD_256_BIT, ALPHANUMERIC ALL Hostname/domain; choose FPE or AES (128/256) or simple alpha‑num
ALPHANUMERIC ALPHANUMERIC, STANDARD, STANDARD_256_BIT ALL Letters & digits only (shuffle or AES)
FPE_ALPHA_NUMERIC FPE, ALPHANUMERIC, STANDARD, STANDARD_256_BIT ALL Alphanumeric with FPE or AES options
NUMBER (NUMERIC) FPE ALL Digit‑only strings (IDs, account numbers)
DRIVER_LICENSE FPE, STANDARD, STANDARD_256_BIT ALL Driver license numbers (format‑preserved or AES)
LITERAL ALPHANUMERIC ALL Unstructured text limited to letters & digits
HASHING SHA_256_HASH, SHA_512_HASH ALL Irreversible hashing (256‑ or 512‑bit)
TEXT FPE, STANDARD, STANDARD_256_BIT ALL Free‑form text (choose FPE for format or AES for full coverage)
ASCII FPE ALL Printable ASCII (codes 32–126)

Custom Schemes

In addition to prebuilt system schemes, administrators can create custom schemes tailored to specific use cases, business rules, or compliance requirements.

Supported custom scheme types:

  • Encryption Schemes: Define how a specific field (like multilingual names) is encrypted.
  • Presentation Schemes: Allow partial reveal for decryption.
  • Masking Schemes: Apply one-way masking for compliance and data minimization.

Custom schemes can be created via:

  • Privacera Portal UI: Encryption & Masking → Schemes
  • REST APIs: Scheme Server endpoints

Where Schemes Are Used

Schemes are core to all Privacera Encryption workflows, including:

  • PEG REST API: Used in encrypt/decrypt/mask requests
  • Databricks UDFs: Referenced in protect/unprotect/mask functions
  • File Encryption Utility (FEU): Referenced in meta files
  • StreamSets Pipelines: Referenced via meta file column mappings
  • Discovery Policies: Used in De-Identification, Workflow Encryption, and RTP
  • Masking Policies: Resource-based or tag-based masking references schemes

Example Use Case

To protect the column email_address in a customer dataset:

  • Use system encryption scheme SYSTEM_EMAIL
  • Apply presentation scheme SYSTEM_PRESENTATION_EMAIL for obfuscated display (e.g., x***@domain.com)
  • Define masking scheme EMAIL_MASKING_NULLIFY for restricted roles (returns NULL)

Comments