Key management

Most masking algorithms include a key as part of their configuration. Changing this key changes the output of these algorithms. For example, if the FIRST NAME algorithm masks “Michelle” to “Rachael,” changing the key might cause it to mask “Michelle” to “Ben”. There are two types of keys that the algorithms can depend on: either 1) global key or 2) individual key.

Global key

A user with Administrator privileges can change the global key by clicking the Generate New Key button in the Admin tab.

Other actions are not allowed during the key generation process. Wait for the Generate New Key process to complete and a success dialogue to display in the user interface before performing additional actions on the Masking Engine (e.g., running a masking job).

Synchronizing the global Key between multiple engines

In order for algorithms to behave the same way across several engines, all of those engines must have the same global key. Changing an engine’s global key alters the behavior of all of the algorithms that depend on the global key.

You may want to change the global key from time to time as a security management practice. If so, change it on all of the engines at the same time. That is, generate a new global key on one engine, export that key, and import it to all of the other engines in the deployment.

The global key can be imported and exported independently of algorithms. To export the global key from an engine, login to the engine through the login endpoint and then call export with the body shown below. Like all objects, you can encrypt the payload by supplying a passphrase header. 

[{
"objectIdentifier": {
"keyId": "global"},
"objectType": "KEY"}]

The API will return a JSON payload containing an encoded form of the global key that you can install on other engines through the import endpoint. Like all exported objects, it is encoded in an opaque blob.

Individual key

The following algorithm framework have their own key that determine the masked results:

  • Binary Lookup

  • Character Mapping

  • Date Replacement

  • Date Shift Discrete

  • Dependent Date Shift

  • Email

  • Full Name

  • IBAN

  • Mapping

  • Name

  • Numeric Mapping

  • Payment Card

  • Secure Lookup

  • Segment Mapping

  • Tokenization

The keys for each algorithm gets exported and imported with the algorithm itself, not separately. These individually associated keys can be randomized with an endpoint. 

PUT http://masking-engine-A/masking/api/algorithms/{algorithmName}/randomize-key