Data Policies

Data Policies are rules that govern the conditions under which specific pieces of encrypted data can be decrypted. These Policies are fine-grained and can be created to explicitly permit or forbid decryption, depending on the context of the decryption. These Policies are embedded in the encrypted data at the time of encryption, ensuring that the data itself understands where and when it can be decrypted.

A diagram that shows how Data Policies work. The diagram shows what happens when a policy grants and denies access. The former decrypts data, the latter does not

Here are some examples of what Data Policies can be used for:

  • Permit decryption of OAuth tokens using Outbound Relay to a specific destination
  • Permit decryption of data by a given Function
  • Permit decryption of data by an IP address
  • Permit decryption for a specific amount of time
  • Permit decryption for a specific revision of a Cage using PCRs

Data Roles

Data Roles are an abstraction for a category of data. They can be attached to a piece of data at encryption time, allowing for granular control over how that data can be decrypted in the future. Each data Role has a corresponding set of decryption Policies that specify how data tagged with that Role can be decrypted. These Policies are evaluated at decryption time and determine whether or not a particular piece of data can be decrypted given the current context.

Data Roles can be managed in the Evervault Dashboard through the Data Policies section. Roles must be created in the dashboard before these Roles can be associated with individual data elements.

A diagram showing the hierarchy of Data Policies. Policies are attached to a Role, and Roles are attached to data.

Assign Policies to a Role

Data Policies are attached to specific Roles and can be managed via the Evervault Dashboard. In contrast to Data Roles, which become fixed once embedded in encrypted data, Policies remain changeable. This flexibility accommodates the evolution of data usage scenarios over time, allowing for adaptations that may differ from initial use cases.

Attaching a Role to data at encryption

A Data Role is attached to data during the encryption process. The data Role is embedded into the encrypted data along with important metadata. Attaching a data Role to data can be done in a few different way based on how you’re using Evervault to encrypt your data.

A Data Role can be assigned to values encrypted using Inbound Relay / Outbound Relay. A Data Role can be specified when adding a field to encrypt to your Relay configuration.

Learn more about how to encrypt data with Inbound Relay

Policies Evaluation

When decrypting data linked to a specific Role, the associated Policies for that Role are retrieved. These Policies are assessed in the following manner:

  1. The Policies are individually examined, and decryption is immediately rejected if any policy contains a rule that explicitly prohibits it.
  2. In the absence of any explicit denial, the presence of at least one policy that explicitly authorizes decryption will result in decryption being permitted. Without such explicit permission, decryption is not allowed.