Placino Docs

Encryption

Placino uses envelope encryption with AES-256-GCM for data at rest and RSA-4096 for key wrapping. PII columns are encrypted; non-sensitive columns remain queryable.

Encryption Overview

Data Encryption: AES-256-GCM

All sensitive columns (email, phone, SSN, etc.) encrypted with AES-256 in Galois/Counter Mode. Provides both confidentiality and authenticity. Industry standard, NIST-approved, hardware accelerated on modern CPUs.

Key Encryption: RSA-4096

Encryption keys themselves wrapped with RSA-4096 public-key encryption. Provides key separation: data keys never travel unencrypted. Ensures keys are unreadable without private key.

Ephemeral PII Hashes

For record matching, SHA-256 hashes of PII exist only during query execution in memory. Never persisted to disk. Destroyed immediately after matching complete.

How It Works

1

Data Ingestion

Customer uploads CSV with PII columns marked as sensitive.

2

Column-Level Encryption

Encryption Service generates random AES-256 key, encrypts email/phone columns with GCM mode. Non-sensitive columns (age, brand, region) remain plaintext.

3

Key Wrapping

Data key wrapped with RSA-4096 public key. Wrapped key stored alongside encrypted data. Private key held in Hardware Security Module (HSM) or Key Management Service (KMS).

4

Storage

Encrypted data stored in PostgreSQL. Encrypted values non-queryable directly. Access only via Placino API with privacy controls.

5

Query Execution

For matching: query decrypts PII into memory, generates SHA-256 ephemeral hash, compares hashes across datasets. Raw values never leave the matching engine. Hash destroyed after comparison.

6

Results

Query returns aggregated results only. No PII in result set. Differential privacy noise applied. K-anonymity enforced before returning to user.

Encryption Configuration

During deployment, configure encryption settings via environment variables:

ENCRYPTION_KEY

Master encryption key (32-byte base64). Generate: openssl rand -base64 32

RSA_PRIVATE_KEY_PATH

Path to RSA-4096 private key PEM file (4096-bit). Store in HSM or KMS for production.

KEY_ROTATION_DAYS

Re-encrypt data with new key every N days. Default: 90. Set to 0 to disable.

KMS_PROVIDER

Optional: AWS KMS, Google Cloud KMS, or Azure Key Vault for key management. If set, ENCRYPTION_KEY ignored.

Key Management Best Practices

Store Keys in HSM or KMS

Never store encryption keys in plaintext files or environment variables in production. Use AWS KMS, Google Cloud KMS, Azure Key Vault, or hardware security modules (Thales, Yubico).

Rotate Keys Regularly

Enable automatic key rotation every 90 days. Placino re-encrypts data with new key in background without downtime.

Access Control

Only Encryption Service container can access private keys. Restrict IAM policies on KMS keys. Audit all key access in CloudTrail, GCP Audit Logs, or Azure Monitor.

Backup & Recovery

Encrypt PostgreSQL backups with same key. Test recovery procedures quarterly. Never backup encryption keys without HSM protection.

Compliance

Placino encryption meets regulatory requirements:

NIST SP 800-38D: AES-256-GCM approved for federal use.

PCI DSS 3.2.1: Meets encryption requirements for payment card data.

GDPR Article 32: Encryption as pseudonymization technique.

HIPAA Security Rule: AES-256 encryption for ePHI at rest and in transit.

SOC 2 Type II: Encryption controls audited annually.

Next: Privacy Controls

Beyond encryption, Placino applies differential privacy and k-anonymity to query results:

Learn About Privacy Controls