{"id":13341,"date":"2019-11-13T11:50:37","date_gmt":"2019-11-13T16:50:37","guid":{"rendered":"http:\/\/www.iri.com\/blog\/?p=13341"},"modified":"2024-06-18T17:16:13","modified_gmt":"2024-06-18T21:16:13","slug":"fieldshield-encryption-alliance-key-manager","status":"publish","type":"post","link":"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/","title":{"rendered":"Securing FieldShield Encryption Keys with Alliance Key Manager"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">In a previous <\/span><a href=\"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-azure-key-vault\/\"><span style=\"font-weight: 400;\">article<\/span><\/a><span style=\"font-weight: 400;\">, we detailed a method for securing the encryption keys (passphrases) used in <\/span><a href=\"https:\/\/www.iri.com\/products\/fieldshield\"><span style=\"font-weight: 400;\">IRI FieldShield<\/span><\/a><span style=\"font-weight: 400;\"> data masking jobs through the Azure Key Vault. There is now another, even more robust option for encryption key management available, thanks to API-level integration between FieldShield and the <\/span><span style=\"font-weight: 400;\">Alliance Key Manager<\/span><span style=\"font-weight: 400;\"> (AKM) platform from <\/span><span style=\"font-weight: 400;\">Townsend Security.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">AKM provides the security of authenticated access to FieldShield passphrases from five different server options (below). They assure that only authorized users can access the AKM key server and obtain the keys to decrypt FieldShield-encrypted field data (column values)<span id='easy-footnote-1-13341' class='easy-footnote-margin-adjust'><\/span><span class='easy-footnote'><a href='https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/#easy-footnote-bottom-1-13341' title='AKM relies on certificates and a private key for authentication to the AKM server. Specifically, AKM requires a root certificate authority (CA), a client certificate, and private key. A user will need to know how to connect to an AKM instance and pass multiple layers of authentication to access keys. This is an example of defense in depth, and thus now another way to enhance data security through FieldShield.'><sup>1<\/sup><\/a><\/span><\/span><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">But beyond authentication, AKM provides a complete encryption key management solution which includes: key server setup and configuration, key lifecycle administration, secure key storage, key import\/export, key access control, server mirroring, and backup\/restore. AKM also supports compliance audit logging of all server, key access and configuration functions.\u00a0\u00a0<\/span><\/p>\n<h4><b>How AKM Works with FieldShield<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">AKM is leveraged directly in FieldShield <\/span><a href=\"https:\/\/www.iri.com\/solutions\/data-masking\"><span style=\"font-weight: 400;\">data masking jobs<\/span><\/a><span style=\"font-weight: 400;\"> through field syntax that specifies the use of AKM. This syntax is \u201cAKM:KeyName\u201d, where \u201cAKM:\u201d invokes the use of the Alliance Key Manager, and \u201cKeyName\u201d (an example key name created by AKM but could be anything) is the name of a key created by AKM from which the value you want will be accessed.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In a FieldShield decryption job, key retrieval from AKM is performed via a secure TLS connection to the AKM server. Both the client (FieldShield user) and server (AKM) end-points are authenticated via TLS.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">AKM can be deployed in: 1) VMware; 2) a cloud server in Microsoft Azure; 3) Amazon Web Services; 4) a privately managed Hardware Security Module (HSM); or, 5) a dedicated cloud HSM.\u00a0<\/span><\/p>\n<h4><b>Setting Up<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Prerequisites for using AKM to manage encryption key passphrases in FieldShield are:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">a compatible <\/span><span style=\"font-weight: 400;\">Linux OS<\/span><span style=\"font-weight: 400;\">\u00a0or Windows<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">A licensed IRI FieldShield installation<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">An AKM instance with connectivity to the Host OS<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">A .conf file configured with the proper details to connect to AKM from the Host OS<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">The Alliance Key Manager Linux SDK, if you are using a Linux OS<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">To run FieldShield, obtain and install license keys from IRI. To run AKM, obtain a license from Townsend Security.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">You will need to create a configuration (.conf) file to provide the connection information for AKM. The file includes the locations of certificates, logging options, and AKM connection properties.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The configuration file must be specified correctly<\/span><span style=\"font-weight: 400;\">\u00a0and called <\/span><i><span style=\"font-weight: 400;\">keyclient.conf <\/span><\/i><span style=\"font-weight: 400;\">in order for key retrieval to succeed The configuration file should be placed in the $COSORT_HOME\/etc directory. Once that\u2019s done, AKM will be accessible and work properly from any of the 5 deployment methods listed above.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">You will also need to download the AKM <\/span><a href=\"http:\/\/townsendsecurity.com\/downloads\/products\/sdk\/Linux.zip\"><span style=\"font-weight: 400;\">Linux SDK<\/span><\/a>\u00a0if you are using a Linux OS<span style=\"font-weight: 400;\">. It contains the packages used to install the Linux libraries for AKM key retrieval used in FieldShield, and a sample keyclient.conf file (shown later).<\/span><\/p>\n<p><a href=\"http:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/FieldShield-AKM-Schematic.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-13348 aligncenter\" src=\"\/blog\/wp-content\/uploads\/2019\/11\/FieldShield-AKM-Schematic-1024x339.png\" alt=\"\" width=\"1024\" height=\"339\" srcset=\"https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/FieldShield-AKM-Schematic-1024x339.png 1024w, https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/FieldShield-AKM-Schematic-300x99.png 300w, https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/FieldShield-AKM-Schematic-768x254.png 768w, https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/FieldShield-AKM-Schematic.png 1110w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/p>\n<h4><b>The AKM Linux SDK<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">FieldShield makes use of shared libraries provided by Townsend Security to integrate with AKM on Linux.\u00a0 More specifically, FieldShield uses the Linux C SDK, which provides tools for integrating C applications with AKM in Linux. A port of the Linux C SDK has been developed to allow integration with the AKM on Windows. On Windows, this integration will be available in a future upgrade to CoSort, and no external SDK is necessary to download or include on Windows.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">There are debian (or rpm, depending on Linux distribution) packages within the <\/span><i><span style=\"font-weight: 400;\">packages<\/span><\/i><span style=\"font-weight: 400;\"> directory of the <\/span><i><span style=\"font-weight: 400;\">Linux<\/span><\/i><span style=\"font-weight: 400;\"> directory of the Linux SDK that must be installed on your Linux system for the FieldShield-AKM integration to work. Confirm (or put) the shared object library (.so file) in the <\/span><i><span style=\"font-weight: 400;\">\/usr\/lib<\/span><\/i><span style=\"font-weight: 400;\"> directory.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The AKM Linux SDK contains packages for the following Linux platforms:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">RHEL\/CentOS 4, 5, 6, 7<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">SLE 11 SP2, SP3, SP4<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Ubuntu 12.04, 14.04, 16.04<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">The Ubuntu 16.04 package in the AKM Linux SDK was tested and confirmed to work on Ubuntu 18.04.<\/span><\/p>\n<p><b>Configuring AKM for FieldShield Use<\/b><br \/>\n<span style=\"font-weight: 400;\">AKM can be deployed in a variety of ways, including through cloud computing providers and local virtual machines. To setup AKM initially, follow the instructions in your quick start documentation<\/span><span style=\"font-weight: 400;\"> and log-in to the administrative menu to initialize AKM and create and manage certificates for user authentication. <\/span><\/p>\n<p><a href=\"\/blog\/wp-content\/uploads\/2019\/11\/VirtualBox_vm-1_30_10_2019_15_17_15.png\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-13361 aligncenter\" src=\"\/blog\/wp-content\/uploads\/2019\/11\/VirtualBox_vm-1_30_10_2019_15_17_15.png\" alt=\"\" width=\"570\" height=\"359\" srcset=\"https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/VirtualBox_vm-1_30_10_2019_15_17_15.png 576w, https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/VirtualBox_vm-1_30_10_2019_15_17_15-300x189.png 300w\" sizes=\"(max-width: 570px) 100vw, 570px\" \/><\/a><\/p>\n<p><span style=\"font-weight: 400;\">The AKM instance has a key server at port 6001, a port for key retrieval at port 6000, and a web interface at port 3886. <\/span><span style=\"font-weight: 400;\">This information must be put into the .conf file so that FieldShield can find the AKM and retrieve the key at decryption time.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">After logging in to AKM, the IP address of the AKM instance can be found by typing <\/span><i><span style=\"font-weight: 400;\">ifconfig<\/span><\/i><span style=\"font-weight: 400;\">:<\/span><\/p>\n<p><a href=\"\/blog\/wp-content\/uploads\/2019\/11\/VirtualBox_vm-1_30_10_2019_15_11_51.png\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-13360 aligncenter\" src=\"\/blog\/wp-content\/uploads\/2019\/11\/VirtualBox_vm-1_30_10_2019_15_11_51.png\" alt=\"\" width=\"570\" height=\"502\" srcset=\"https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/VirtualBox_vm-1_30_10_2019_15_11_51.png 619w, https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/VirtualBox_vm-1_30_10_2019_15_11_51-300x264.png 300w\" sizes=\"(max-width: 570px) 100vw, 570px\" \/><\/a><\/p>\n<p><span style=\"font-weight: 400;\">Again, the default port is 6000 for AKM key retrieval. This should be written in the .conf file like this:<\/span><\/p>\n<pre><span style=\"font-weight: 400;\">[ip]<\/span>\r\n<span style=\"font-weight: 400;\">KeyStoreIpPort=IP:Port\u00a0<\/span><\/pre>\n<p><span style=\"font-weight: 400;\">where IP is the IP address of the AKM, and Port is the port number used for key retrieval. For example:<\/span><\/p>\n<pre><span style=\"font-weight: 400;\">[ip]<\/span>\r\n<span style=\"font-weight: 400;\">KeyStoreIpPort=192.168.56.20:6000<\/span><\/pre>\n<p><span style=\"font-weight: 400;\">A complete .conf file could look something like this:<\/span><\/p>\n<pre><span style=\"font-weight: 400;\">; Configuration file for Universal Key Retrieval API<\/span> \r\n<span style=\"font-weight: 400;\">[log]<\/span> <span style=\"font-weight: 400;\">Syslog=2 ; syslog output enabled<\/span> <span style=\"font-weight: 400;\">StdErr=2 ; stderr output enabled<\/span> \r\n<span style=\"font-weight: 400;\">[ip]<\/span> \r\n<span style=\"font-weight: 400;\">KeyStoreIpPort=192.168.56.103:6000<\/span> \r\n<span style=\"font-weight: 400;\">ConnectTimeoutSecs=5 \u00a0 ; timeout value in seconds<\/span> \r\n<span style=\"font-weight: 400;\">ConnectTimeoutMSecs=0\u00a0 ; timeout value in milliseconds<\/span> \r\n<span style=\"font-weight: 400;\">[cert]<\/span> \r\n<span style=\"font-weight: 400;\">VerifyDepth=1 ; certificate verify depth<\/span> \r\n<span style=\"font-weight: 400;\">TrustedCACertDir=\/home\/devon\/Downloads\/AKMPrimary_user_20191021\/PEM\u00a0<\/span> \r\n<span style=\"font-weight: 400;\">; CA Signed Cert directory<\/span> \r\n<span style=\"font-weight: 400;\">TrustedCACert=\/home\/devon\/Downloads\/AKMPrimary_user_20191021\/PEM\/AKMRootCACertificate.pem\u00a0 ; \r\nCA Signed Cert (root cert)<\/span> \r\n\r\n<span style=\"font-weight: 400;\">ClientPrivKey=\/home\/devon\/Downloads\/AKMPrimary_user_20191021\/PEM\/AKMClientPrivateKey.pem\u00a0<\/span> \r\n<span style=\"font-weight: 400;\">; Client Private key<\/span> \r\n<span style=\"font-weight: 400;\">ClientSignedCert=\/home\/devon\/Downloads\/AKMPrimary_user_20191021\/PEM\/AKMClientCertificate.pem<\/span> \r\n<span style=\"font-weight: 400;\">; Client Signed certificate\r\n<\/span><\/pre>\n<h4><b>AKM Web Interface (webmin)<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">The AKM Server<\/span><span style=\"font-weight: 400;\"> web interface (or webmin) monitors AKM performance and login or access attempts, and allows access to the AKM file browser. Many settings can be modified through a secure web interface:<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><\/p>\n<p><a href=\"http:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/webmin_AKM.png\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-13353 aligncenter\" src=\"\/blog\/wp-content\/uploads\/2019\/11\/webmin_AKM-1024x555.png\" alt=\"\" width=\"899\" height=\"487\" srcset=\"https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/webmin_AKM-1024x555.png 1024w, https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/webmin_AKM-300x163.png 300w, https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/webmin_AKM-768x416.png 768w, https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/webmin_AKM.png 1600w\" sizes=\"(max-width: 899px) 100vw, 899px\" \/><\/a><\/p>\n<p style=\"text-align: center;\"><i><span style=\"font-weight: 400;\">Dashboard menu in the AKM \u2018webmin\u2019 web interface <\/span><\/i><\/p>\n<p><span style=\"font-weight: 400;\">From the file manager in the web interface, full file system access to AKM is available. In the <\/span><i><span style=\"font-weight: 400;\">\/home\/admin\/downloads <\/span><\/i><span style=\"font-weight: 400;\">directory, all certificates and private keys should be available in zipped folders.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The certificates and private key should be in the .pem format and stored in the pem folder within the zip folder with the name of the user (rather than the admin1 or admin2 folders). The date value is the day of the month that the folder was created during initialization of the AKM server.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">There is also the ability to access logs from AKM, set logging options and IP access control for the web interface, start\/stop AKM, enable two-factor authentication for the web interface, check running processes in AKM, and more, all from within webmin.<\/span><\/p>\n<h4><b>Creating and Using FieldShield Keys<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">AKM provides options for creating, securing, and managing encryption keys through the <\/span><span style=\"font-weight: 400;\">AKM Administrative (Admin) Console app<\/span><span style=\"font-weight: 400;\"> for Windows. Consult the AKM Crypto Officer <\/span><span style=\"font-weight: 400;\">documentation <\/span><span style=\"font-weight: 400;\">for current information on creating keys through the AKM Admin console app.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">FieldShield only supports <\/span><b>256-bit <\/b><span style=\"font-weight: 400;\">symmetric keys from AKM, known as AES256 keys. <\/span><span style=\"font-weight: 400;\">This provides the best combination of security and performance.<\/span><\/p>\n<p><a href=\"http:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/AKM_console.png\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-13354 aligncenter\" src=\"\/blog\/wp-content\/uploads\/2019\/11\/AKM_console-1024x555.png\" alt=\"\" width=\"899\" height=\"487\" srcset=\"https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/AKM_console-1024x555.png 1024w, https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/AKM_console-300x163.png 300w, https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/AKM_console-768x416.png 768w, https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/AKM_console.png 1600w\" sizes=\"(max-width: 899px) 100vw, 899px\" \/><\/a><\/p>\n<p><span style=\"font-weight: 400;\">Otherwise, select the rest of the options as desired and click the submit button to generate an encryption key.\u00a0 The output should be similar to this:<\/span><\/p>\n<p><a href=\"\/blog\/wp-content\/uploads\/2019\/11\/AKM-symmetric-key.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-13356 aligncenter\" src=\"\/blog\/wp-content\/uploads\/2019\/11\/AKM-symmetric-key.png\" alt=\"\" width=\"315\" height=\"200\" srcset=\"https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/AKM-symmetric-key.png 315w, https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/AKM-symmetric-key-300x190.png 300w\" sizes=\"(max-width: 315px) 100vw, 315px\" \/><\/a><\/p>\n<p><span style=\"font-weight: 400;\">Alternatively, when initializing AKM, a set of encryption keys can be automatically generated. <\/span><span style=\"font-weight: 400;\">A prompt appears at AKM initialization asking if an initial set of encryption keys should be generated or not.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The encryption keys you create in AKM at initialization, or through the AKM Admin Console application, will serve as passphrase values in FieldShield target \/FIELD specifications that encrypt or decrypt values at the field or column level. For example, this statement:<\/span><\/p>\n<pre><span style=\"font-weight: 400;\">\/FIELD=(Encrypted_CCN=enc_aes256_fp_alphanum(CCN, AKM:AES256), TYPE=NUMERIC, POSITION=12, SEPARATOR=\u201d|\u201d, ODEF=CCAcctNum)<\/span><\/pre>\n<p><span style=\"font-weight: 400;\">will encrypt the CCAcctNum in the 12th column of the source database table with 256-bit AES alphanumeric format-preserving encryption using the key created inside AKM under the name AES256.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">What\u2019s actually happening? FieldShield will use a base64-encoded stream of characters (a key value) retrieved (derived) from AKM that are associated with that AKM key name. That stream then gets used by FieldShield as a new passphrase value.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">It\u2019s that new passphrase value that is then used by FieldShield (like before AKM) to derive the actual encrypt\/decrypt key used at FieldShield runtime. So in other words, AKM involves a double derivation.\u00a0\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">If you want to use a different AKM key name in another \/FIELD statement to differentiate your encrypt\/decrypt keys, use the AKM Admin Console to create another key under a different name. Reflect that new name into your FieldShield job script in the appropriate \/FIELD statement.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">To decrypt in this case, a corresponding decryption statement in a subsequent FieldShield job script would need to specify the dec_aes256_fp_alphnum function with the same passphrase to restore the original CCAcctNum value. This method will work with any <\/span><a href=\"https:\/\/www.iri.com\/solutions\/data-masking\/encryption\/algorithms\"><span style=\"font-weight: 400;\">FieldShield-included encryption or decryption algorithm<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h4><b>Example Operation<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Here is a look at the FieldShield encrypt (left) and decrypt (right) job scripts used:<\/span><\/p>\n<p><a href=\"http:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/FieldShield-encrypt-and-decrypt.png\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-13357 aligncenter\" src=\"\/blog\/wp-content\/uploads\/2019\/11\/FieldShield-encrypt-and-decrypt-1024x378.png\" alt=\"\" width=\"899\" height=\"332\" srcset=\"https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/FieldShield-encrypt-and-decrypt-1024x378.png 1024w, https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/FieldShield-encrypt-and-decrypt-300x111.png 300w, https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/FieldShield-encrypt-and-decrypt-768x283.png 768w, https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/FieldShield-encrypt-and-decrypt.png 1214w\" sizes=\"(max-width: 899px) 100vw, 899px\" \/><\/a><\/p>\n<p><span style=\"font-weight: 400;\">Note the syntax for specifying AKM use, which is \u201c<\/span><b>AKM:<\/b><i><span style=\"font-weight: 400;\">KeyName<\/span><\/i><span style=\"font-weight: 400;\">\u201d. Make sure that the key name is properly spelled. Key names that do not exist on the connected AKM instance will result in a Tcpconnect error.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">AKM will attempt to retrieve the key 5 times, each with a timeout of 5 seconds, as specified in the default .conf file. If the key is ultimately unable to be retrieved, then the job will not run.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Here is an image of data from this example that FieldShield encrypted using AKM:<\/span><\/p>\n<p><a href=\"\/blog\/wp-content\/uploads\/2019\/11\/fieldShield-encrypted-data-1.png\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-13358 aligncenter\" src=\"\/blog\/wp-content\/uploads\/2019\/11\/fieldShield-encrypted-data-1.png\" alt=\"\" width=\"899\" height=\"210\" srcset=\"https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/fieldShield-encrypted-data-1.png 955w, https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/fieldShield-encrypted-data-1-300x70.png 300w, https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/fieldShield-encrypted-data-1-768x179.png 768w\" sizes=\"(max-width: 899px) 100vw, 899px\" \/><\/a><\/p>\n<p><span style=\"font-weight: 400;\">Here is an image of the data after running FieldShield and the key in AKM to decrypt it:<\/span><\/p>\n<p><a href=\"\/blog\/wp-content\/uploads\/2019\/11\/fieldShield-dencrypted-data.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-13359 aligncenter\" src=\"\/blog\/wp-content\/uploads\/2019\/11\/fieldShield-dencrypted-data.png\" alt=\"\" width=\"537\" height=\"222\" srcset=\"https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/fieldShield-dencrypted-data.png 537w, https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/fieldShield-dencrypted-data-300x124.png 300w\" sizes=\"(max-width: 537px) 100vw, 537px\" \/><\/a><\/p>\n<p><span style=\"font-weight: 400;\">The bottom line: Using AKM to store the passphrases used for decrypting data in FieldShield dramatically enhances encryption key security and industry compliance levels for data masking operations. Through key authentication and secure key management facilities, AKM can help FieldShield users close off more potential gaps in enterprise data security.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In a previous article, we detailed a method for securing the encryption keys (passphrases) used in IRI FieldShield data masking jobs through the Azure Key Vault. There is now another, even more robust option for encryption key management available, thanks to API-level integration between FieldShield and the Alliance Key Manager (AKM) platform from Townsend Security.<\/p>\n<div><a class=\"btn-filled btn\" href=\"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/\" title=\"Securing FieldShield Encryption Keys with Alliance Key Manager\">Read More<\/a><\/div>\n","protected":false},"author":119,"featured_media":13348,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":""},"categories":[8,34],"tags":[1449,1450,10,99,78,520,160],"class_list":["post-13341","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-data-protection","category-business","tag-akm","tag-alliance-key-manager","tag-data-encryption","tag-decryption","tag-encryption-key","tag-iri-fieldshield","tag-linux"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v23.4 (Yoast SEO v23.4) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Securing FieldShield Encryption Keys with Alliance Key Manager - IRI<\/title>\n<meta name=\"description\" content=\"Learn to use Alliance Key Manager (AKM) from Townsend Security to store and retrieve encryption keys in IRI FieldShield data masking jobs.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Securing FieldShield Encryption Keys with Alliance Key Manager\" \/>\n<meta property=\"og:description\" content=\"Learn to use Alliance Key Manager (AKM) from Townsend Security to store and retrieve encryption keys in IRI FieldShield data masking jobs.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/\" \/>\n<meta property=\"og:site_name\" content=\"IRI\" \/>\n<meta property=\"article:published_time\" content=\"2019-11-13T16:50:37+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-06-18T21:16:13+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/FieldShield-AKM-Schematic.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1110\" \/>\n\t<meta property=\"og:image:height\" content=\"367\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Devon Kozenieski\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Devon Kozenieski\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/\"},\"author\":{\"name\":\"Devon Kozenieski\",\"@id\":\"https:\/\/www.iri.com\/blog\/#\/schema\/person\/de972c035aaeecfc40a3ae2ea5ff7ba1\"},\"headline\":\"Securing FieldShield Encryption Keys with Alliance Key Manager\",\"datePublished\":\"2019-11-13T16:50:37+00:00\",\"dateModified\":\"2024-06-18T21:16:13+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/\"},\"wordCount\":1588,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.iri.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/FieldShield-AKM-Schematic.png\",\"keywords\":[\"AKM\",\"Alliance Key Manager\",\"data encryption\",\"decryption\",\"encryption key\",\"IRI FieldShield\",\"Linux\"],\"articleSection\":[\"Data Masking\/Protection\",\"IRI Business\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/\",\"url\":\"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/\",\"name\":\"Securing FieldShield Encryption Keys with Alliance Key Manager - IRI\",\"isPartOf\":{\"@id\":\"https:\/\/www.iri.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/FieldShield-AKM-Schematic.png\",\"datePublished\":\"2019-11-13T16:50:37+00:00\",\"dateModified\":\"2024-06-18T21:16:13+00:00\",\"description\":\"Learn to use Alliance Key Manager (AKM) from Townsend Security to store and retrieve encryption keys in IRI FieldShield data masking jobs.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/#primaryimage\",\"url\":\"https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/FieldShield-AKM-Schematic.png\",\"contentUrl\":\"https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/FieldShield-AKM-Schematic.png\",\"width\":1110,\"height\":367},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.iri.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Securing FieldShield Encryption Keys with Alliance Key Manager\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.iri.com\/blog\/#website\",\"url\":\"https:\/\/www.iri.com\/blog\/\",\"name\":\"IRI\",\"description\":\"Total Data Management Blog\",\"publisher\":{\"@id\":\"https:\/\/www.iri.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.iri.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.iri.com\/blog\/#organization\",\"name\":\"IRI\",\"url\":\"https:\/\/www.iri.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.iri.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/02\/iri-logo-total-data-management-small-1.png\",\"contentUrl\":\"https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/02\/iri-logo-total-data-management-small-1.png\",\"width\":750,\"height\":206,\"caption\":\"IRI\"},\"image\":{\"@id\":\"https:\/\/www.iri.com\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.iri.com\/blog\/#\/schema\/person\/de972c035aaeecfc40a3ae2ea5ff7ba1\",\"name\":\"Devon Kozenieski\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.iri.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/e4c421588c1a85dd9a76146fe15528f7?s=96&d=blank&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/e4c421588c1a85dd9a76146fe15528f7?s=96&d=blank&r=g\",\"caption\":\"Devon Kozenieski\"},\"url\":\"https:\/\/www.iri.com\/blog\/author\/devonk\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Securing FieldShield Encryption Keys with Alliance Key Manager - IRI","description":"Learn to use Alliance Key Manager (AKM) from Townsend Security to store and retrieve encryption keys in IRI FieldShield data masking jobs.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/","og_locale":"en_US","og_type":"article","og_title":"Securing FieldShield Encryption Keys with Alliance Key Manager","og_description":"Learn to use Alliance Key Manager (AKM) from Townsend Security to store and retrieve encryption keys in IRI FieldShield data masking jobs.","og_url":"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/","og_site_name":"IRI","article_published_time":"2019-11-13T16:50:37+00:00","article_modified_time":"2024-06-18T21:16:13+00:00","og_image":[{"width":1110,"height":367,"url":"https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/FieldShield-AKM-Schematic.png","type":"image\/png"}],"author":"Devon Kozenieski","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Devon Kozenieski","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/#article","isPartOf":{"@id":"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/"},"author":{"name":"Devon Kozenieski","@id":"https:\/\/www.iri.com\/blog\/#\/schema\/person\/de972c035aaeecfc40a3ae2ea5ff7ba1"},"headline":"Securing FieldShield Encryption Keys with Alliance Key Manager","datePublished":"2019-11-13T16:50:37+00:00","dateModified":"2024-06-18T21:16:13+00:00","mainEntityOfPage":{"@id":"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/"},"wordCount":1588,"commentCount":0,"publisher":{"@id":"https:\/\/www.iri.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/#primaryimage"},"thumbnailUrl":"https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/FieldShield-AKM-Schematic.png","keywords":["AKM","Alliance Key Manager","data encryption","decryption","encryption key","IRI FieldShield","Linux"],"articleSection":["Data Masking\/Protection","IRI Business"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/","url":"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/","name":"Securing FieldShield Encryption Keys with Alliance Key Manager - IRI","isPartOf":{"@id":"https:\/\/www.iri.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/#primaryimage"},"image":{"@id":"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/#primaryimage"},"thumbnailUrl":"https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/FieldShield-AKM-Schematic.png","datePublished":"2019-11-13T16:50:37+00:00","dateModified":"2024-06-18T21:16:13+00:00","description":"Learn to use Alliance Key Manager (AKM) from Townsend Security to store and retrieve encryption keys in IRI FieldShield data masking jobs.","breadcrumb":{"@id":"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/#primaryimage","url":"https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/FieldShield-AKM-Schematic.png","contentUrl":"https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/FieldShield-AKM-Schematic.png","width":1110,"height":367},{"@type":"BreadcrumbList","@id":"https:\/\/www.iri.com\/blog\/data-protection\/fieldshield-encryption-alliance-key-manager\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.iri.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Securing FieldShield Encryption Keys with Alliance Key Manager"}]},{"@type":"WebSite","@id":"https:\/\/www.iri.com\/blog\/#website","url":"https:\/\/www.iri.com\/blog\/","name":"IRI","description":"Total Data Management Blog","publisher":{"@id":"https:\/\/www.iri.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.iri.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.iri.com\/blog\/#organization","name":"IRI","url":"https:\/\/www.iri.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.iri.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/02\/iri-logo-total-data-management-small-1.png","contentUrl":"https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/02\/iri-logo-total-data-management-small-1.png","width":750,"height":206,"caption":"IRI"},"image":{"@id":"https:\/\/www.iri.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.iri.com\/blog\/#\/schema\/person\/de972c035aaeecfc40a3ae2ea5ff7ba1","name":"Devon Kozenieski","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.iri.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/e4c421588c1a85dd9a76146fe15528f7?s=96&d=blank&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/e4c421588c1a85dd9a76146fe15528f7?s=96&d=blank&r=g","caption":"Devon Kozenieski"},"url":"https:\/\/www.iri.com\/blog\/author\/devonk\/"}]}},"jetpack_featured_media_url":"https:\/\/www.iri.com\/blog\/wp-content\/uploads\/2019\/11\/FieldShield-AKM-Schematic.png","_links":{"self":[{"href":"https:\/\/www.iri.com\/blog\/wp-json\/wp\/v2\/posts\/13341"}],"collection":[{"href":"https:\/\/www.iri.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.iri.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.iri.com\/blog\/wp-json\/wp\/v2\/users\/119"}],"replies":[{"embeddable":true,"href":"https:\/\/www.iri.com\/blog\/wp-json\/wp\/v2\/comments?post=13341"}],"version-history":[{"count":19,"href":"https:\/\/www.iri.com\/blog\/wp-json\/wp\/v2\/posts\/13341\/revisions"}],"predecessor-version":[{"id":17624,"href":"https:\/\/www.iri.com\/blog\/wp-json\/wp\/v2\/posts\/13341\/revisions\/17624"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.iri.com\/blog\/wp-json\/wp\/v2\/media\/13348"}],"wp:attachment":[{"href":"https:\/\/www.iri.com\/blog\/wp-json\/wp\/v2\/media?parent=13341"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.iri.com\/blog\/wp-json\/wp\/v2\/categories?post=13341"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.iri.com\/blog\/wp-json\/wp\/v2\/tags?post=13341"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}