Encryption Algorithms

Protect Data at Risk with FIPS-Compliant Libraries

The IRI FieldShield data masking product, and the IRI Voracity data management platform that includes it, can encrypt data in tables and files at the column (field) level with a choice of proven algorithms:



AES-128, AES-256,
with and without FPE

Compliant with NSA's Suite B-level security, IRI's 128 and 256-bit Advanced Encryption Standard (AES) are implemented in FieldShield and CellShield (as well as CoSort and Voracity). Produce either standard ciphertext, or width- and format-preserving encryption (FPE) results that maintain the original appearance of the column value. Use your own passphrase string, file or environment variable as an encryption key. The ciphertex contains printable characters for processing and display and, in the case of FPE, retains the original format of the data.


Asymmetric encryption and decryption routines enable users to locate and make use of public key ring files on central servers. IRI's GPG implementation is PGP-compatible.


Symmetric encryption and decryption routines enable users to locate and make use of public key ring files on central servers, EBC, and OpenSSL implementations.


IRI uses the OpenSSL FIPS Object Module for AES and 3DES to conform to the FIPS 140-2 computer security standard, under the NIST Cryptographic Module Validation Program.


Support for custom, field-level transformations in FieldShield or Voracity also means that you can specify your own encryption keys, alternate encryption library, or other field protection functions. So, if you prefer Twofish or any other algorithm, use it.

Other Protection Functions


In addition to encryption, FieldShield and Voracity support the use of field-level de-identification routines, bit-level manipulation and other anonymizing masking functions, hashing, lookup pseudonymization, conditional value filtering, and wholesale field redaction. IRI CellShield supports several of the same functions for encrypting cell values in Excel spreadsheets.

To improve protection and verify compliance with privacy regulations, you can also specify the creation of of a query-ready audit trial with each job. The XML log records every parameter in the job, including paths and names of the encryption libraries used, and the protection functions applied to each field.

How-to Articles

Other Resources