Acra

Acra provides application-level encryption for data fields, multi-layered access control, database leakage prevention, and intrusion detection capabilities in one suite. Acra was specifically designed for distributed apps (web, server-side and mobile) that store data in one or many databases / datastores.

Acra gives you tools for encrypting each sensitive data record (data field, database cell, json) before storing them in the database / file storage. And then decrypting them in a secure compartmented area (on Acra side). Acra allows to encrypt data as early as possible and operate on encrypted data.

Acra's cryptographic design ensures that no secret (password, key, etc.) leaked from the application or database will be sufficient for decryption of the protected data. Acra minimises the leakage scope, detects unauthorised behavior, and prevents the leakage, informing operators of the incident underway.

Major security features:
- Application-level encryption: encryption on client-side and/or Acra-sidwe - each data field is encrypted using unique encryption keys.
- Selective encryption: you select which columns to encrypt to balance good security and performance.
- Fast and reliable crypto: two crypto-envelopes: AcraBlocks and AcraStructs.
- Searchable encryption=: search through encrypted data without decryption. Designed for exact queries, based on AES-GCM and blind index.
- Masking / anonymization=: use full or partial masking to remove or mask sensitive data.
- Tokenization: substitute sensitive data with a token and match it to original only when needed.
- Basic key management tools: built-in tools for key generation, export, backup, rotation, etc.
- Blocking suspicious SQL queries: through a built-in SQL firewall.
- Intrusion detection: using poison records (honey tokens) to warn about suspicious behaviour.
- Key rotation without data re-encryption: available for Acra Enterprise users.
- KMS support: available for Acra Enterprise users.
- Cryptographically protected audit log: available for Acra Enterprise users.

Acra delivers different layers of defense for different parts and stages of the data lifecycle. This is what defence in depth is – an independent set of security controls aimed at mitigating multiple risks in case of an attacker crossing the outer perimeter.