Abstract: The present disclosure relates to deriving cryptographic keys for use in encrypting data based on a plaintext to be encrypted. An example method generally includes receiving, from a querying device, a request for a cryptographic key. The request generally includes data derived from a plaintext value to be encrypted and an indication of a type of the plaintext value to be encrypted. A cryptographic key is generated based, at least in part, on the derived data and the type of the plaintext value to be encrypted. The key deriver transmits the generated cryptographic key to the querying device.

Abstract: The present disclosure relates to processing data queries on a logically sharded data store. An example method generally includes receiving, from a client device, a query. The query generally comprises one or more data items and wherein at least one of the one or more data items comprises sensitive data. A query processor obtains, from a key management server, a cryptographic key to use to encrypt the record based on data derived from the one or more data items comprising sensitive data and a type of the sensitive data. The query processor generates an encrypted query based on the query and the obtained cryptographic key and executes the encrypted query against the logically sharded database.

Abstract: A method and system provides access control for sensitive data. An access control system defines a plurality of access policies for gaining access to the sensitive data. Each access policy includes a plurality of rules that indicate whether or not the client machine can gain access to an initial access secret under the policy. When the access control system receives access request data from a client machine requesting access to the access control system under one of the policies, the access control system compares characteristics of the client machine to the rules of the access policy. If the characteristics of the client machine satisfy the rules of the access policy in the access control system provides an initial access secret, such as an application key, to the client machine.

Abstract: A method and system provides access control for sensitive data. An access control system defines a plurality of access policies for gaining access to the sensitive data. Each access policy includes a plurality of rules that indicate whether or not the client machine can gain access to an initial access secret under the policy. When the access control system receives access request data from a client machine requesting access to the access control system under one of the policies, the access control system compares characteristics of the client machine to the rules of the access policy. If the characteristics of the client machine satisfy the rules of the access policy in the access control system provides an initial access secret, such as an application key, to the client machine.