User Guide

The Privitar NOVLT base secret is used to generate unique encryption keys for each rule and PDD. These unique, generated keys ensure consistency of tokenized output and also allow for the unmasking of tokenization. The encryption algorithm is further strengthened using randomly generated salts; salt values are stored in the configuration database of the platform’s control plane. The salt values should be a base64-encoded string of up to 32 bytes.

As added security, the salt and base secret are stored separately (the base secret is stored in the KMS/secrets manager, and the salt is stored in the control plane configuration database). An attacker could only remove tokenization from previously generated output data if the attacker compromises both the secrets manager and the configuration database.