Data protection

Protegrity

3min

This document provides information about configuring our HSMs with the Protegrity Data Security Platform by using PKCS #11 libraries. For additional questions related to your HSM, see the relevant administrator guide.

Application description

The Protegrity Data Security Platform uses many keys to protect your sensitive data. The Protegrity Key Management solution manages these keys, and this system is embedded into the fabric of the Protegrity Data Security Platform. For example, defining the protection method for sensitive data includes creating a cryptographic or data-protection key. There is not a specific user-visible function to create a data protection key.

With key management as a part of the core infrastructure of the platform, the security team can focus on protecting data instead of the low-level mechanics of key management. This platform infrastructure-based key management technique eliminates the need for a human to be a custodian of keys. This applies to all functions included in key management.

The following keys are part of the Protegrity Key Management solution:

  • Key Encryption Key (KEK): A cryptographic key that protects other keys. The following keys are types of KEKs:
    • Master Key: Protects the Data Store Keys and ESA Repository Key. In the ESA, only one active Master Key is present at a time.
    • ESA Repository Key: Protects policy information in the ESA. In the ESA, only one active ESA Repository Key is present at a time.
    • Data Store Key: Encrypts the audit logs on the protection endpoint. In the ESA, multiple active Data Store Keys can be present at a time.
  • Data Encryption Key (DEK): A cryptographic key that encrypts the sensitive data for the customers.
  • Codebooks: The lookup tables that tokenize the sensitive data.

You can configure the Protegrity Data Security platform to use an HSM to generate and protect the Protegrity KEKs.

Guardian integration