Working with Keys

Protegrity Data Security platform uses many keys to protect your sensitive data.

The Protegrity Data Security platform uses many keys to protect your sensitive data. The Protegrity Key Management solution manages these keys and this system is embedded into the fabric of the Protegrity Data Security Platform. For example, creating a cryptographic or data protection key is a part of the process of defining the way sensitive data is to be protected. There is not a specific user visible function to create a data protection key.

With key management as a part of the platform’s core infrastructure, the security team can focus on protecting data and not the low-level mechanics of key management. This platform infrastructure-based key management technique eliminates the need for any human to be a custodian of keys. This holds true for any of the functions included in key management.

The keys that are part of the Protegrity Key Management solution are:

  • Key Encryption Key (KEK): The cryptographic key used to protect other keys. The KEKs are categorized as follows:

    • Master Key - It protects the Data Store Keys and Repository Key. In the ESA, only one active Master Key is present at a time.
    • Repository Key - It protects policy information in the ESA. In the ESA, only one active Repository Key is present at a time.
    • Data Store Key - It encrypts the audit logs on the protection endpoint. In the ESA, multiple active Data Store Keys can be present at a time. This key applies only to v8.0.0.0 and earlier protector versions.
  • Signing Key: The protector utilizes the Signing Key to sign the audit logs for each data protection operation. The signed audit log records are then sent to the ESA, which authenticates and displays the signature details received for the log records.

    For more information about the signature details for the log records, refer to the Protegrity Log Forwarding Guide 9.2.0.0.

  • Data Encryption Key (DEK): The cryptographic key used to encrypt the sensitive data for the customers.

  • Codebooks: The lookup tables used to tokenize the sensitive data.

For more information about managing keys, refer to the Protegrity Key Management Guide 9.2.0.0.