Protection of Data Integrity with NOVLT
The Privitar NOVLT base secret is used to generate unique encryption keys for each rule and PDD. These unique, generated keys ensure consistency of tokenized output and also allow for unmasking of tokenization. The encryption algorithm is further strengthened using randomly generated salts; salt values are stored in the configuration database of the platform’s control plane. The salt values should be a base64 encoded string of a maximum of 32 bytes.
As added security, the salt and base secret are stored separately (the base secret is stored in the KMS/secrets manager, and the salt is stored in the control plane configuration database). An attacker could only remove tokenization from previously generated output data if the attacker compromises both the secrets manager and the configuration database.
In the event that an attacker compromises a base secret, you can rotate the base secret.