Supported Encryption Modes

Baffle supports multiple database and file encryption modes including NIST certified and FIPS validated AES modes.

Baffle Encryption Modes

All Baffle encryption modes can be implemented using a “no code” model via Baffle Data Protection Services

FieldLevelEncryptionV2

Field Level Encryption (FLE)

Table or column-based database encryption using randomized or deterministic AES-CTR encryption

FieldLevelEncryptionV2

Record Level Encryption (RLE)

Support for row by row database encryption using different keys mapped to entities for multi-tenant or shared databases

Encryption In Use

Advanced Encryption (SMPC)

Support for secure computation & secure data sharing on encrypted table or columnar data using randomized AES & secure multiparty compute (SMPC)

FPEV2

Format Preserving Encryption (FPE)

Supports encryption where the cipher text output has the same form of the input. Preserves length of the data type. Cannot be used in conjunction with RLE or Advanced Encryption

Group 2

Data-Centric File Protection

Supports encryption & de-identification of data inside file & object stores to secure data in cloud storage such as AWS S3 or Azure Blob Storage & for use in data analytics pipelines & big data processing

FPEV2

Secure Data Tokenization

Uses deterministic AES encryption to generate a deterministic encrypted transform for a given value. Can be applied to support JOINs and foreign key constraints as well as preserve indexing & optimizer. Does NOT use code book method.

Encryption Standards

Baffle uses NIST approved cryptographic AES algorithms for the supported encryption modes. For FPE, Baffle uses NIST approved FF1 and FF3-1 algorithms. The cryptographic implementations use a FIPS 140-2 validated cryptographic module.

Supported Data Protection ModesDescription
Field Level Encryption (FLE/ALE)Table or column-based encryption using randomized, deterministic AES-CTR encryption or FPE
Record Level Encryption (RLE)Support for row by row encryption using different keys mapped to entities for multi-tenant or shared databases. Uses randomized, deterministic AESCTR encryption or FPE
Secure Data Tokenization (TOK)Uses deterministic AES encryption to generate a deterministic encrypted transform for a given value. Can be applied to support JOINs and foreign key constraints to preserve referential integrity. Does NOT use code book method
Format Preserving Encryption (FPE)Supports encryption where the cipher text output has the same form of the input. Preserves length of the data type. Can be applied to support JOINs and foreign key constraints to preserve referential integrity. Does NOT use code book method. Cannot be used in conjunction with RLE or Advanced Encryption. Baffle uses NIST approved FF1 and FF3-1 algorithms for FPE
File Object Encryption (DFP)Supports encrypting data inside file objects for cloud data lakes, AWS S3 object storage, Azure blob storage. Encrypts semi-structured data to protect data inside objects in CSV or parquet formats.
Encryption Service API (API)Baffle supports an encryption service API that enables support of virtually any application or data streaming method to perform encryption and decryption operations on data for the supported encryption modes.
Dynamic Data Masking (DDM)Supports a library of masking formats that protects data at the presentation layer to prevent users from viewing data in the clear. Masking can be applied using static alphanumeric characters, randomly generated data values, and/or partially mask data values. Masking can be applied to both clear text and/or encrypted data
Role-based Access Control (RBAC)Supports role or group-based policies in conjunction with data masking policies to restrict viewing of data based on group membership or other attribution.
Advanced Encryption (SMPC)Support for privacy preserving analytics and secure data sharing on encrypted table or columnar data using randomized AES and secure multiparty compute (SMPC). This encryption mode facilitates operations and analytics on encrypted data across multiple parties without revealing data to other participating parties.

Related Resources

Tokenize and de-identify data in AWS RDS in less than 10 minutes

We’re pleased to be partnered with AWS to deliver a seamless data protection solution for Amazon RDS and have co-authored this Amazon Partner Network (APN) blog that details the joint solution.

Read More

Database Encryption

Without any application code changes, the solution tokenizes and encrypts data in Postgres, MySQL, MariaDB, and Microsoft SQL Server at the field or row level.

Learn More

A Security Analysis Of Tokenization Systems

The analysis includes an overview of three different tokenization systems and reviews methods in-depth on how an attacker could stage cryptographic game scenarios to attack the systems.

Learn More

See How Baffle Can Protect Your Data

Schedule a live demo with one of our solutions experts to get answers to your questions