Blog

How encryption works in a Data Vault using EKM

Maria Paktiti
February 20, 2025

Keeping data safe, especially sensitive data like PII, is an increasingly difficult project. Read about Data Vaults and EKM and how enterprises can use them to ensure data integrity and confidentiality.

Sensitive data is a valuable asset that companies need to secure from theft or misuse. Data Vaults and Enterprise Key Management (EKM) are two technologies that help with that.

In this article, we will see what Data Vaults and EKM are, and how they work together to ensure data privacy and compliance.

What is a Data Vault?

Not all data is created equally. Some, like sensitive user data, require better protection, especially if you want to be compliant with the various regulations and laws. As data breaches become more frequent, isolating and protecting sensitive user data becomes more important. And that’s exactly what Data Vaults are designed to do.

A Data Vault, or Data Privacy Vault, is a system that isolates and secures sensitive data. It acts as a "vault" for storing and managing sensitive information and limits exposure and unauthorized access, using encryption, access controls, and other security measures. Think of it like the safety deposit boxes in a bank: a locked room with boxes for storing valuable items with loads of security.

Data Vaults are used in environments with high privacy concerns, such as cloud storage or applications handling sensitive personal health or financial information.

Some of the key features of Data Vaults are:

  • Encryption: Data is encrypted at the application level before being stored, making it unreadable to anyone without the proper decryption keys. Data Vaults encrypt the data in their own APIs before storing it on the hard drive. This limits an attacker's ability to read the data by accessing the server, making it more secure than just encrypting data at rest.
  • Access controls: Strong authentication and authorization mechanisms ensure only authorized users can access or modify sensitive data.
  • Audit logs: Detailed logs track who accesses the data and what actions are taken, helping to maintain accountability and transparency.
  • Data minimization: The system ensures that only necessary data is stored and accessible, helping to comply with privacy regulations like GDPR or CCPA.
  • Compliance: It helps organizations meet legal and regulatory requirements for data privacy and security.

What is EKM?

Enterprise Key Management (EKM) is a system used by organizations to control and protect the encryption keys that secure their sensitive data.Imagine your data is like a locked box, and the key to open it is the encryption key. EKM helps the organization manage these keys securely—keeping them safe, ensuring only the right people or systems can use them, and rotating them regularly to reduce the risk of being compromised.Following the same bank analogy, where the Data Vaults are the safety deposit boxes holding the sensitive data, EKM holds the keys to lock and unlock those boxes.An EKM system is responsible for:

  • Key provisioning: EKM doesn’t generate or store encryption keys (the KMS does this), but it does track which keys are used for what types of data across an organization’s systems. An organization might want to provision a new key for each enterprise customer or tenant, or provision separate keys based on data type (e.g., a key for credit card numbers and a separate key for PII). This way, you end up with a lot of keys, and EKM is the system responsible for tracking and managing which key is being used for what (which tenant, which data type).
  • Key distribution: This involves securely distributing encryption keys to the systems and applications that need them while ensuring that only authorized entities can access them.
  • Key rotation and expiration: Regularly rotating keys is essential to maintaining security. EKM helps automate this process, ensuring that old keys are replaced with new ones to minimize the risk of a security breach.
  • Key auditing and compliance: EKM systems help track and monitor key usage for compliance with data protection regulations such as GDPR, HIPAA, and PCI-DSS. This involves maintaining detailed logs of key access, creation, and deletion.
  • Key destruction: Once encryption keys are no longer needed or have reached the end of their lifecycle, they must be securely destroyed to prevent any future access to encrypted data.

An EKM system uses two types of keys: customer managed keys and data keys.

The customer managed key is used to encrypt the data key, and then that encrypted data key is used to encrypt the data. This process is called key wrapping. The encrypted data key is stored alongside the data and, therefore, cannot be lost.

For more details on how EKM systems work see this video.‍

How EKM and Data Vaults work together to secure data?

A Data Privacy Vault typically integrates with EKM to control and secure the encryption keys, ensuring that the sensitive data it holds is protected at all times.

  • EKM is used to generate and use encryption keys for cryptographic security.
  • The Data Vault uses EKM to provide keys for encrypting application data and storing the encrypted data.
  • The Data Vault leverages the EKM's ability to scope encryption keys to different types of data. This allows the Data Vault to "cryptographically isolate" the data it is storing - getting access to a single encryption key will only allow a subset of the data to be decrypted.

Here’s the process, step by step:

  1. A customer managed key is generated by the EKM system (specifically by the KMS). The customer has full control over the key (hence the “customer managed” part) and can use it to encrypt and decrypt data via an API. There are actually multiple keys generated, not only one. Usually, there is a key for a specific data set or group of data objects (e.g., files or records). Time-based keys are also common.
  2. Then, data keys are generated (again, by the KMS). These keys are used to encrypt or decrypt sensitive data.
  3. The customer managed key is used to encrypt the data key.
  4. The encrypted data key is used to encrypt the data and is then stored alongside the data (in what is called an encrypted envelope). This keeps the data very portable, even if the data moves the key will move with them.
  5. When the data needs to be accessed, the customer managed key is used to unwrap (decrypt) the wrapped data key. Once the data key is decrypted, it can be used to decrypt the actual data.

Conclusion

Both Data Vaults and EKM are crucial for ensuring that sensitive data are kept private and confidential.

The Data Vault is a system isolating sensitive data, while EKM is a broader strategy encompassing the processes and policies for managing encryption keys across an enterprise.

Together, they help organizations safeguard sensitive data and maintain compliance with regulations.

In this article
Link
Link
Link
We’re hiring

Our global team is growing and we’re hiring all types of roles.

View open roles
About us

WorkOS builds developer tools for quickly adding enterprise features to applications.

Learn more

This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.