A RESTful API Delivers Flexibility for Vormetric Application Encryption

Security Application Key Management

One of the long standing challenges with security applications that involve data encryption has been key management. Where to get good keys? Where to store keys safely? With Thales eSecurity’s Vormetric Application Encryption (VAE) we’ve solved these problems by providing a PKCS #11 library and a connection to the Vormetric Data Security Manager (DSM), which both creates and stores encryption keys in a FIPS 140-2 compliant system.

Centralized Key and Policy Management

The DSM, the central component of the Vormetric Data Security Platform, provides centralized encryption key and encryption policy management not only for the entire Vormetric Data Security Platform (including Application Encryption), but also even for third party devices, for example, those using the Key Management Interoperability Protocol (KMIP).

AWS Builder Community Hub

Vormetric Application Encryption

Today’s Vormetric Application Encryption provides a library that provides the PKCS #11 interface as a dynamically loadable library (.DLL) on Windows and a shared object (.so) on Linux and UNIX. In addition, Vormetric Application Encryption also includes several security mechanisms enabling the server running the PKCS#11 library to communicate with the DSM for key management.

While this approach, which uses the VAE Software Development Kit (SDK), offers high performance for symmetric key operations and supports many mainstream operating systems (OSs) and languages, it does not support every OS and language. It is “application only”, and it can be, potentially, an IT resource disadvantage, because it requires library installation for both development and production servers. Library installation can be a particular issue for some types of elastic compute instances (mitigated, of course, with customized server templates).


Now, to offer our customers flexibility in using PKCS#11 with the Vormetric Data Security Platform and the DSM, we’ve developed a RESTful API for Vormetric Application Encryption.

How Does This Work?

RESTful APIs require a server to receive requests and authenticate them. Well, the Vormetric Tokenization Server does just that for Vormetric Tokenization with Dynamic Data Masking. So, we added a PKCS#11 library to the Tokenization Server. Basically in the same way that an app requests encryption and key management services on a local server, an app can now request those same services over a RESTful API. In fact, we’ve even done this before1! For several years you’ve known how easy it is to implement data tokenization, because that product has always worked with RESTful APIs.

Why RESTful APIs, anyway?

RESTful APIs are text-based and are available on any operating system that supports Web services. Because they’re network- and text-based, you can use them into command lines (for example, using CURL on Linux and Windows) for testing, or tuck them into scripts, or embed them into your favorite application programming language. Finally, with no library required, you can potentially realize some operational cost advantages.


The overall benefit is that now organizations have more flexibility and choice. Regardless of your application encryption needs, we likely have an answer. And, if we don’t, we’ll see it as an opportunity to create another solution!

A RESTful API Delivers Flexibility for Vormetric Application Encryption

Interested in continuing this discussion? Tweet to me @cyberswimmer or message me on LinkedIn at If you’re attending RSA this week I’ll be working the Thales booth. You can find us at #3425, North Expo, in the Moscone Center.

1We’ve been careful, in the RESTful APIs for nShield and Vormetric Application Encryption, to keep the syntax the same. You can write your app and switch between key managers! With some restrictions, of course.

The post A RESTful API Delivers Flexibility for Vormetric Application Encryption appeared first on Data Security Blog | Thales e-Security.

*** This is a Security Bloggers Network syndicated blog from Data Security Blog | Thales eSecurity authored by Eric Wolff. Read the original post at: