A Data Encryption Platform for Developers

1. Can I create multiple API Keys for a single application?

Yes. Every API Key can encrypt or decrypt the data associated with its Registered Application (which has its own unique Master Encryption Key). We recommend using separate API Keys for each service or host that needs to interact with a given encrypted dataset and creating different Registered Applications for each encrypted dataset. For instance, if you use the Ubiq Platform to encrypt user database records in a web application, each back-end host should have and use a unique API Key. We strongly recommend that you create a new Registered Application for each unique application or dataset you’d like to encrypt data for.

2. What encryption algorithms do you currently support?

We currently support AES-256-GCM and AES-128-GCM, with more algorithms coming in the future. Please contact us if you have specific needs and we can work with you to include them.

3. What is your standard key rotation policy? Can the key rotation policy be customized?

By default, keys are rotated annually. It can be adjusted to 3, 6, 12, 18, 24, or 36 months on a per-Master Encryption Key basis.

4. Are your APIs REST based?

Yes. The Ubiq API is organized around REST. Our API has predictable resource-oriented URLs, accepts form-encoded request bodies, returns JSON-encoded responses, and uses standard HTTP response codes, authentication, and verbs.

5. Where are my encryption keys stored?

Data encryption keys: Each encrypted block of data has a unique Data Encryption Key stored with it. The Data Encryption Key is randomly generated when the data is encrypted and is encrypted with the Master Encryption Key for the application by Ubiq before being stored.

Master encryption keys: Master Encryption Keys are stored within a FIPS 140-2 Level-3 compliant Hardware Security Module (HSM) within our cloud infrastructure.

6. How do I re-key my data (change the Data Encryption Key that was last used to encrypt it)?

First, rotate the Application Master Keys associated with the data. This generates a new Application Master Key which will be used for all future encryption operations; the old key is retained to decrypt previous data. Then for each encrypted data element or block, decrypt and re-encrypt it using the Ubiq API. The API will automatically use the old Application Master Key to decrypt the data and the new Application Master Key to encrypt it.

7. Do you support Multi-Factor Authentication (MFA) when logging into the Ubiq Platform?

Yes – we actually require MFA using TOTP (E.G. Google Authenticator) for login and sensitive operations such as key rotation or modifying encryption policies.

8. I'm trying to sign into the Dashboard, but I don't have access to my MFA device or my recovery code. What can I do?

It is very important that you store your MFA Recovery Code in a safe place in case you lose or replace your MFA Device. However, if you lost, misplaced or failed to record your MFA Recovery Code, then please contact Ubiq Support to regain access to your account.

9. Does the Ubiq platform support applications running in cloud, multi-cloud, or hybrid cloud environments?

Yes. The Ubiq Platform is fully cloud provider and deployment agnostic. Your application can run in any environment, so long as it can access our platform over the internet.

10. Can I encrypt just a single data element or file or do I need to encrypt all of it (as a group)?

It’s entirely up to you. Our APIs are extremely flexible and can be used to encrypt as much or as little data as you wish.

11. What happens if the Ubiq Platform becomes unavailable? What happens if my application loses access to the internet?

Internet access to our platform is required for access to our APIs. If they are inaccessible, you will be unable to encrypt or decrypt data. Accordingly, the Ubiq Platform is designed to be highly resilient and reliable. You can see our current and historic availability information at status.ubiqsecurity.com

12. What data does the Ubiq Platform see? Does our customer data ever leave our environment?

The Ubiq Platform sees only calls to encrypt and decrypt specific Data Encryption Keys, which are randomly generated and don’t reveal any information about your customer data.

Your customer data never leaves your environment.

13. Does encrypting data with the Ubiq Platform change its size?

Yes. Our encrypted record format incurs a nominal amount of space overhead per record.

14. What languages or platforms do you support? Are your libraries native implementations? Are they open source?

We currently support most major programming languages. You can find those details at dev.ubiqsecurity.com.

Each implementation is supported on most or all platforms the language itself supports and uses either native cryptographic primitives provided by the language or operating system, or well-vetted industry standard third-party libraries.

Our libraries are open source and you can find the source code for all of them in our GitLab and GitHub repositories.

15. How can we partition data access so that applications can read only a subset of our data?

Each API key associated with a Registered Application can encrypt and decrypt any data for that application. To create partitioned datasets, create a new Registered Application for each partition (which will create a new, unique Master Encryption Key), then create Authorized Applications and distribute the API keys they will need access to that partition.

16. What auditing features do you support?

Events: Within the Ubiq Dashboard, under API -> Events, we log every encrypt and decrypt API call that is made for your account.

Security History: Within the Ubiq Dashboard, under Settings -> Account Settings -> Security History, we log user security activity, such as logins, account activity, such as account creation, application activity, such as application registration, and several other categories of information.

The information in both Events and Security history are exportable via CSV.

17. Describe key lifetime in memory. Can you deal with multi-threaded environments?

Keys are loaded into memory only as long as required to encrypt or decrypt data and are flushed from memory afterwards. Libraries are fully capable of multi-threaded operations.

18. Does our data have to be formatted or stored in a specific way to use the Ubiq Platform?

No. Our APIs work on the level of blocks of bytes and can work with any data format or storage medium.

19. What is your onboarding process?

Our platform is designed to be entirely self-service. Please visit our docs page on how to get up and running.

20. Where does your platform infrastructure reside?

Our platform currently runs in the USA. Our longer-term plans include running components of our platform in other international regions.

21. How do you license your product?

We have a simple and transparent licensing model: a flat charge per encrypt API call. See our pricing page for more information.

22. Can we supply our own HSM/KMS instead of using the Ubiq-managed ones?

Not at this time. We have long-term plans to support customer managed KMS/HSM systems. If this is a requirement, please contact us for more information.

23. How do we prevent unauthorized access via the API keys? Can we restrict API access by IP source/other?

API key/credential security is the responsibility of the customer, including account credentials, API Key usage, and access. We encourage our customers to explore the use of industry-vetted secrets management solutions, approaches, and strategies to protect any API keys, passwords, certificates, and other secret material.

We do not currently support the ability to restrict API access by source IP address.

24. Can we submit a purchase order? Can you invoice me?

When you subscribe to the Developer plan online, we’ll send you an invoice every month. For other arrangements such as enterprise agreements, please contact us and we will work with you on an appropriate strategy for your use case and organization, including invoicing and procurement details.

25. How long do I have in the dashboard until I get logged out?

To help prevent account compromise, you will be logged out after 30 minutes of inactivity.

26. How is the Ubiq Platform different from standard KMS solutions?

A KMS only offers a small fraction of the functionality offered by the Ubiq Platform. Our platform builds on a traditional KMS to add encryption policy support, automated key rotation and management, access controls, and an interoperable, open data storage format accessible through our suite of simple APIs.

27. How can I protect access to my API keys?

We encourage our customers to explore the use of industry-vetted secrets management solutions, approaches, and strategies to protect any API keys, passwords, certificates, and other secret material.

28. Can we use our own cryptographic libraries?

Yes. Our client libraries are open source and leverage industry-vetted encryption libraries, and you are free to modify our client libraries to leverage your preferred cryptographic libraries.

29. What is a Registered Application?

A Registered Application represents an application or dataset for which you would like to perform encrypt and decrypt functions.

30. What is an Authorized Application?

An Authorized Application represents an application that has the ability to encrypt or decrypt data for a Registered Application.

31. What is the relationship between a Registered Application and an Authorized Application?

In a nutshell, parent-child. Whereas the Registered Application is parent and the Authorized Application is child.

32. What is a Master Encryption Key?

A Master Encryption Key, also knowns as a Symmetric Master Key, “is used to derive other symmetric keys (e.g., data encryption keys, key wrapping keys, or authentication keys) using symmetric cryptographic methods.”*

33. What is a Data Encryption Key?

A Data Encryption Key, also known as a Symmetric Data Encryption Key, is “used with symmetric key algorithms to apply confidentiality protection to information.”* Data Encryption Keys are derived leveraging Master Encryption Keys.

34. What browsers do you support?

Chrome and Safari

Data Type
Unstructured
Structured

Data encryption designed for modern threats

The most effective and efficient way to protect sensitive application data

How Ubiq can help you

Automate secure key management

Enable rapid compliance

Get started in minutes

Reduce the risk of data theft

Protect any data type

Integrate into any application type

How to get started

Into the future of encryption

10 min

9 languages

Data Type

Stop figuring out crypto, start writing code.

Application vulnerabilities we help you protect against

Identification and Authentication Failures

Broken Access Control

Injection

Threats we help you protect against

Insider threats

Supply chain attacks

Advanced attackers

Frequently asked questions