toc

FAQ

These are some questions we are frequently asked by our customers.

Encryption

Below you'll find questions related to encrypting data.

What encryption scheme does Evervault use?

You can learn more about the Evervault Encryption Scheme (EES) here.

Do I need to manage encryption keys?

No. Simply include our SDKs and Relay your data or deploy your functions to an Evervault Cage. We handle everything else.

Where do I encrypt data?

You can encrypt data where it enters your infrastructure — either using Evervault Relay or our SDKs.

Why is there no decrypt() function in the Evervault SDKs?

Traditionally, encryption has only been useful if it was a reversible transformation, i.e. if the encrypted data could be reversed back to its original, unencrypted form. If encryption was not reversible, the encrypted data was considered unreadable and unusable. This is why most encryption libraries have a decrypt() function available.

Evervault Cages and Relay make the need for a decrypt() function redundant.

Cages are secure, serverless functions for processing encrypted data. That is, encrypted data remains readable and usable — without the need for a decrypt() function being available.

You can deploy a Cage to return data in its unencrypted form. Cage runs are logged so that you can see who accessed plaintext data.

Relay is a proxy for encrypting data before it touches your API, and for decrypting it as you send it to a third-party API or return it to your users. Decryption takes place in E3, so no decrypt() function is necessary in our SDKs.

Why is Evervault better than encryption at rest and in transit?

Encryption in transit (using TLS) protects against man-in-the-middle attacks between the client and your server.

Encryption at rest (at the disk-level, file-system-level, and database-level) protects against someone taking the physical drive from your machine and overriding your file-system, and prevents a non-authenticated admin accessing your database.

However, neither encryption in transit or at rest protect against a malicious agent on your server because data still gets decrypted to be processed.

With Evervault, data never exists on your infrastructure in plaintext — so it can never be lost or leaked.

Why is Evervault better than open-source encryption libraries?

There are two core reasons why Evervault is better than encryption libraries:

  1. No plaintext data on your infrastructure

    With encryption libraries like Web Crypto and Tink, you still need to decrypt sensitive data to process and get value from it. With Evervault, sensitive data is never decrypted (i.e. never exists in plaintext) on your infrastructure—so you cannot lose or leak it.

  2. No need to manage encryption keys

    With encryption libraries, you still need to manage encryption keys. Using Evervault means that you do not need to manage encryption keys. We take full responsibility for key management. The way we configure key management means that Evervault cannot decrypt your data—because your team’s API key is necessary for decryption.

Learn more about the Evervault Encryption Scheme.

Storage

Below you'll find questions related to storing encrypted data.

Where do I store data I encrypted with Evervault?

You store the data in your database as normal. There’s no need to change your data structure or format.

Other

Where are my Evervault API keys?

Your API keys can be found in Settings.

Is Evervault compliant?

We are fully PCI DSS Level 2 and SOC 2 Type II compliant. We can enter into BAAs under HIPAA. We are in the process of becoming PCI DSS Level 1 compliant.

Request our reports →

What languages are Evervault's SDKs?

Our SDK is available for Node.js and Python. We will be adding support for more languages soon.


Was this page useful?