Encryption Management

All data stored in the AuricVault® service must be encrypted. Most users allow the service to manage the data encryption (vault-managed encryption). There are also API calls that allow you to manage encryption on your servers.

NOTE: If you intend to use either the Token Swap or Payments Passthrough feature in the future, you must choose the vault-managed approach.

Vault-Managed Encryption

Vault-managed encryption performs all encryption/decryption and key management tasks within the AuricVault® service. You send plaintext (unencrypted) data to the AuricVault® service. The service encrypts and then stores the data. The AuricVault® encryption keys are rotated at least every 90 days.

Vault-managed encryption methods include both server-side and browser-side tokenization and de-tokenization methods. The browser-side methods allow any sensitive data to be tokenized/encrypted directly from a browser over secure HTTPS connections without the sensitive information ever touching your servers. These browser-side methods referred to as session-based.

The vault-managed encryption token API calls are:

  • encrypt

  • decrypt

  • reencrypt

  • session_encrypt

  • session_decrypt

  • delete_token

  • token_info

  • touch_token

  • get_encrypt_session

  • get_decrypt_session

Locally-Managed Encryption

Locally-managed encryption requires you to control the encryption and decryption process, key management, and key rotation. You send pre-encrypted data to the AuricVault® service, and the vault returns that same data for you to decrypt. With this method, the service does not have access to the encryption/decryption keys. You may use any encryption method that aligns with your security policies.

The AuricVault® tokenization API for locally-managed encryption requires all calls to originate from your server’s web application. Browser-based encryption is not available with locally-managed encryption. Sharing data with third parties is problematic since it implies shared encryption keys, this includes payment processors. Neither {swap} nor Payment Pass-Through is available when using locally-managed encryption.

Locally-managed encryption is ideal for environments that need to internally manage their custom encryption policies and maintain access to the tokenized data within a locally limited environment.

The locally-managed encryption token API calls are:

  • store_token

  • generate_token

  • retrieve_token

  • update_token

  • delete_token

  • token_info

  • touch_token

Converting Between Methods

Tokens can be converted from locally-managed to vault-managed (or vault to locally). You need to write a small program to read each token that is currently stored with one method and then store it back with the other. For example, call retrieve_token to retrieve the encrypted data, decrypt it on your local server, then either encrypt (to create a new token) or reencrypt (to re-use the same token). The token_info method can be used to determine a token’s encryption management method.