Deterministic Encryption Feature Release!

[skeet70]

We've released a new oft-requested feature: Deterministic Encryption!

Our normal encryption in SaaS Shield is randomized; that is, when you encrypt a piece of data, some random bytes are added to it before encrypting. This way, if you encrypt the same data twice, even if you use the same key, you will get two different blocks of encrypted data. This makes it a lot harder to try to detect patterns in the encrypted data that might help you guess the original, even if you know some details like the frequency distribution of the original data that was encrypted.

A consequence of this security is that once you encrypted a piece of data, you can't do a search to see if the encrypted version of that data exists in your data store. This can severely degrade the functionality of apps that need to search for records containing a certain data item, if that item is encrypted. Deterministic Encryption is a solution to that problem. As the name implies, this variation on encryption does not have any randomness - given a key and a piece of data, the encrypted version of the data is always the same. This allows you to encrypt each data item using a key and store the encrypted data. Then when you want to do a search, you encrypt the search data with the same key and look for exact matches to that encrypted data in your data store.

For more information about deterministic encryption and our implementation of it, see our documentation.

This release includes:

• a new Config Broker page for Vendors ("Tenant Secrets") to manage Cloaked Search and Deterministic Encryption secrets generated for their tenants,
• TSP 4.11.1 to support new deterministic encryption TSC functionality,
• VA 2.2.0 which exposes new Tenant Secret endpoints documented here
• TSC-java 6.0.0 and TSC-nodejs 3.0.0 with new deterministic encryption functionality documented here and here. TSC-php and TSC-go do not have the functionality for now, but it can be added on request.