# Privacera Platform

### Overview of Privacera Encryption

:

Privacera Encryption enhances the data security provided by Privacera Access Management and Privacera Discovery.

You can encrypt tables, columns, rows, fields, or other data in connected systems. Even if the data are accessible by policies created in Privacera Access Management, the encrypted data cannot be seen.

Encryption can be two-way: you can encrypt the data in place and decrypt it later. Or it can be one-way: with hashing or overwriting with string literals. You can replace the original data to make it invisible and unrecoverable.

You can also completely mask data with a one-way transform.

For a graphical overview of the encryption process, see View of encryption processes.

Privacera Encryption relies on schemes. A scheme is a combination of formats, algorithms, and scopes. There are three types of schemes:

All schemes rely on the same set of encryption formats, algorithms, and scopes:

• Format: defines the data type and structure to be encrypted, such as alphanumeric, credit card, email address, or social security number.

• Algorithm: specifies the mathematics used to encrypt, such as AES, FPE, or SHA.

• Scope: defines the extent of the data encryption, such as the first four digits, an IP domain, or all data. Scoping ALL is recommended.

A scheme policy defines access control: users who have permission to access a scheme.

For example, you might rely on a Privacera-supplied encryption scheme to protect a PII field called "EMAIL" with the following properties:

• Uses EMAIL format

• Applies the SHA-256 algorithm for a one-way hash

• Is scoped with "masked domain" to hide the portion of the email to the right of the @ sign

You can also define your own custom encryption, presentation, and masking schemes.

#### View of encryption processes

This conceptual graphic with annotation shows the general process of Privacera Encryption. This same process is also illustrated in Encryption architecture and UDF flow.

The Privacera encryption process is as follows:

1. An endpoint is called to encrypt raw data.

2. The encryption scheme encrypts the data according to its associated format, algorithm, and scope.

2. The data is encrypted.

3. An endpoint is called to decrypt the encrypted data.

2. The same encryption scheme that encrypted the data is used to decrypt according to the encryption scheme's format, algorithm, and scope.

3. The presentation scheme obfuscates the decrypted data for presentation to the user.

#### Encryption architecture and UDF flow

This diagram shows the PEG architecture for viewing a record. For a description of the keys in this architecture, see Hierarchy and Types of Encryption Keys.

1. A user queries sensitive data.

2. Privacera Access Management verifies the user access privileges to the data and the key (encryption scheme) used to decrypt the data.

3. If the user has access privileges to both the data and key, Privacera encryption requests the Data Encryption Key (DEK) for the encryption scheme.

4. The Privacera Encryption Gateway (PEG) sends the Encrypted Data Encryption Key (EDEK) from the scheme to Ranger KMS to decrypt the DEK.

5. Ranger KMS authenticates the caller (the encryption module) and uses the KEK to decrypt EDEK and obtain the DEK.

6. The PEG obtains the DEK and decrypts the data.

7. The PEG returns the data to user.

#### Formats, algorithms, and scopes

In Privacera Encryption, a scheme is composed of formats, algorithms, and scopes. The formats, algorithms, and scopes associated with each scheme are described in Encryption formats, algorithms, and scopes.

The following sections explain formats, algorithms, and scopes.

##### Formats

A format is the data type and structure of the input data to be encrypted.

For example, the format of your input data could be:

• Numeric

• Date

• Credit card

• Social security number

##### Algorithms

Algorithms are the mathematics used to encrypt your data.

There are two types of algorithms:

• Two-way encryption and decryption

• One-way hashes

One type of one-way transformation is the LITERAL replacement of data. This option replaces the specified data with the name of the tag associated with the data.

For example, if a database field is tagged as PERSON_NAME, when an encryption transform is applied as LITERAL, the field's value is replaced with PERSON_NAME.

### Caution

If you use LITERAL, the original data cannot be recovered.

##### Scopes

Scopes define the extent of your data encryption, such as the first four digits, an IP domain, or all data.

The ALL scope is recommended as the most comprehensive treatment of the extent of the data. However, you can choose from other available scopes.

#### Approaches to programming

These are the general programming options with Privacera Encryption:

#### Key security

For maximum security, Privacera Encryption relies on different types of encryption keys. For a description of keys, see Hierarchy and Types of Encryption Keys.