Protegrity
This document provides information about configuring Futurex HSMs with the Protegrity Data Security Platform using PKCS #11 libraries. For additional questions related to your HSM, see the relevant administrator’s guide.
The Protegrity Data Security Platform uses many keys to protect your sensitive data. The Protegrity Key Management solution manages these keys, and this system is embedded into the fabric of the Protegrity Data Security Platform. For example, the creation of a cryptographic or data protection key is a part of the process of how you define the way sensitive data is to be protected. There is not a specific user-visible function to create a data protection key.
With key management as a part of the platform’s core infrastructure, the security team can focus on protecting data and not the low-level mechanics of key management. This platform infrastructure-based key management technique eliminates the need for any human to be a custodian of keys. This holds true for any of the functions included in key management.
The keys that are part of the Protegrity Key Management solution are:
- Key Encryption Key (KEK): The cryptographic key used to protect other keys. The KEKs are categorized as follows:
- Master Key - It protects the Data Store Keys and ESA Repository Key. In the ESA, only one active Master Key is present at a time.
- ESA Repository Key - It protects policy information in the ESA. In the ESA, only one active ESA Repository Key is present at a time.
- Data Store Key - It encrypts the audit logs on the protection endpoint. In the ESA, multiple active Data Store Keys can be present at a time.
- Data Encryption Key (DEK): The cryptographic key used to encrypt the sensitive data for the customers.
- Codebooks: The lookup tables used to tokenize the sensitive data.
You can configure the Protegrity Data Security platform to use an HSM to generate and protect the Protegrity Key Encryption Keys (KEKs).
The Guardian Series 3 introduces mission-critical viability to core cryptographic infrastructure, including:
- Centralize device management
- Eliminates points of failure
- Distribute transaction loads
- Group-specific function blocking
- User-defined grouping systems
Please see the applicable guide for configuring HSMs with the Guardian Series 3.