Supported Database Encryption Modes
Baffle supports multiple database and file encryption modes including NIST certified and FIPS validated AES modes.
Baffle Encryption and Data Protection Modes
Data Security: Baffle supports multiple database, file, and file system encryption modes including NIST certified and FIPS validated AES modes.
| Supported Data Protection Modes | Description |
|---|---|
| Field Level Encryption (FLE/ALE) | Table or column-based encryption using randomized, deterministic AES-CTR encryption or FPE |
| Record Level Encryption (RLE) | Support for row-by-row encryption using different keys mapped to entities for multi-tenant or shared databases. Uses randomized, deterministic AES-CTR encryption or FPE |
| Secure Data Tokenization (TOK) | Uses deterministic AES encryption to generate a deterministic encrypted transform for a given value. Can be applied to support JOINs and foreign key constraints to preserve referential integrity. Does NOT use codebook method |
| Format Preserving Encryption (FPE) | Supports an encryption solution where the cipher text output has the same form as the input. Preserves length of the data type. Can be applied to support JOINs and foreign key constraints to preserve referential integrity. Does NOT use codebook method. Cannot be used in conjunction with RLE or Advanced Encryption. Baffle uses NIST-approved FF1 and FF3-1 algorithms for FPE |
| File Object Encryption (DFP) | Supports encrypting data inside file objects for cloud data lakes, AWS S3 object storage, and Azure blob storage. Encrypts semi-structured data to protect data inside objects in CSV or parquet formats |
| Encryption Service API (API) | Baffle supports a data encryption service API that enables support of virtually any application or data streaming method to perform encryption and decryption operations on sensitive data for the supported encryption modes |
| Dynamic Data Masking (DDM) | Supports a library of masking formats that protects data at the presentation layer to prevent users from viewing data in the clear. Masking can be applied using static alphanumeric characters, randomly generated data values, and/or partially mask data values. Masking can be applied to both clear text and/or encrypted data |
| DBA & Role-based Access Control (RBAC) | Supports authorized users through a role or group-based authentication policy in conjunction with data masking policies to restrict unauthorized access of data based on group membership or other attribution |
| Advanced Encryption (SMPC) | Support for privacy-preserving analytics and secure data sharing on an encrypted table or encrypted column data using randomized AES and secure multiparty compute (SMPC). This functionality facilitates operations and analytics on encrypted data across multiple parties without revealing data to other participating parties |
Read more about Enhanced Database Encryption here or performance vs. security trade-offs here.
Related Resources
Tokenize and de-identify data in AWS RDS in less than 10 minutes
We’re pleased to be partnered with AWS to deliver a seamless data protection solution for Amazon RDS and have co-authored this Amazon Partner Network (APN) blog that details the joint solution.
Database Encryption
Without any application code changes, the solution tokenizes and encrypts data in Postgres, MySQL, MariaDB, and Microsoft SQL Server at the field or row level.
A Technical Overview of Baffle Hold Your Own Key (HYOK) and Record Level Encryption (RLE)
This paper provides a technical overview of Baffle’s HYOK implementation and how it can be applied to provide RLE in multitenant or shared data stores.
Schedule a live demo with one of our solutions experts to get answers to your questions