Types of Keys
Key management is critical for encryption of data-at-rest and data-in-transit. The encryption keys must be secured by externalizing them into a separate Key Management System (KMS) to prevent compromising the keys. Apache Ranger KMS is a key storage solution to manage keys across Privacera services. Keys are stored and managed by Apache Ranger KMS and the keys are stored in an encrypted format in the Apache Ranger KMS database.
Privacera Key Hierarchy#
The key hierarchy includes the following types of keys.
Data Encryption Key (DEK)#
The Data Encryption Key (DEK) is the key that encrypts and decrypts the data. Each encryption scheme created in the Privacera Portal is mapped to a unique DEK. The user must have key access privileges to encrypt or decrypt data using the DEK. The DEK is always stored in an encrypted format. The key used to encrypt the DEK is managed by Apache Ranger KMS.
Key Encryption Key (KEK)#
A KEK is the key used encrypt the DEK. The KEKs are stored and managed in Apache Ranger KMS. Apache Ranger KMS manages the KEK keys used to either encrypt DEKs to create Encrypted Data Encryption Keys (EDEKs) or to decrypt EDEKs. The Key Encryption Keys (KEKs) are encrypted using the Master Key which is stored separately outside of the KMS database or externally on a hardware security module (HSM).
- If a KEK is deleted, any associated encrypted data cannot be decrypted.
- KEKs should be rotated at regular intervals, such as every 12 months initially. Frequency of rotation can be increased depending on how extensively the KEK is used.
Encrypted Data Encryption Key (EDEK)#
The EDEK is the encrypted DEK and is encrypted by using a KEK. A KEK is required to decrypt an EDEK. EDEKs are stored and managed by Privacera.
The Master Key is used to encrypt the KEKs in Apache Ranger KMS. The Master Key is stored separately outside of the KMS database or externally a hardware security module (HSM).