FAQs

Yes. Every API Key can encrypt or decrypt the data associated with its Registered Application (which has its own unique Master Encryption Key). We recommend using separate API Keys for each service or host that needs to interact with a given encrypted dataset and creating different Registered Applications for each encrypted dataset. For instance, if you use the Ubiq Platform to encrypt user database records in a web application, each back-end host should have and use a unique API Key. We strongly recommend that you create a new Registered Application for each unique application or dataset you’d like to encrypt data for.
We currently support AES-256-GCM and AES-128-GCM, with more algorithms coming in the future. Please contact us if you have specific needs and we can work with you to include them.
By default, keys are rotated annually. It can be adjusted to 3, 6, 12, 18, 24, or 36 months on a per-Master Encryption Key basis.
Yes. The Ubiq API is organized around REST. Our API has predictable resource-oriented URLs, accepts form-encoded request bodies, returns JSON-encoded responses, and uses standard HTTP response codes, authentication, and verbs.
Data encryption keys: Each encrypted block of data has a unique Data Encryption Key stored with it. The Data Encryption Key is randomly generated when the data is encrypted and is encrypted with the Master Encryption Key for the application by Ubiq before being stored.

Master encryption keys: Master Encryption Keys are stored within a FIPS 140-2 Level-3 compliant Hardware Security Module (HSM) within our cloud infrastructure.
First, rotate the Application Master Keys associated with the data. This generates a new Application Master Key which will be used for all future encryption operations; the old key is retained to decrypt previous data. Then for each encrypted data element or block, decrypt and re-encrypt it using the Ubiq API. The API will automatically use the old Application Master Key to decrypt the data and the new Application Master Key to encrypt it.
Yes – we actually require MFA using TOTP (E.G. Google Authenticator) for login and sensitive operations such as key rotation or modifying encryption policies.
It is very important that you store your MFA Recovery Code in a safe place in case you lose or replace your MFA Device. However, if you lost, misplaced or failed to record your MFA Recovery Code, then please contact Ubiq Support to regain access to your account.
Yes. The Ubiq Platform is fully cloud provider and deployment agnostic. Your application can run in any environment, so long as it can access our platform over the internet.
It’s entirely up to you. Our APIs are extremely flexible and can be used to encrypt as much or as little data as you wish.
Internet access to our platform is required for access to our APIs. If they are inaccessible, you will be unable to encrypt or decrypt data. Accordingly, the Ubiq Platform is designed to be highly resilient and reliable. You can see our current and historic availability information at status.ubiqsecurity.com
The Ubiq Platform sees only calls to encrypt and decrypt specific Data Encryption Keys, which are randomly generated and don't reveal any information about your customer data.

Your customer data never leaves your environment.
Yes. Our encrypted record format incurs a nominal amount of space overhead per record.
We currently support most major programming languages. You can find those details at dev.ubiqsecurity.com.

Each implementation is supported on most or all platforms the language itself supports and uses either native cryptographic primitives provided by the language or operating system, or well-vetted industry standard third-party libraries.

Our libraries are open source and you can find the source code for all of them in our GitLab and GitHub repositories.
Each API key associated with a Registered Application can encrypt and decrypt any data for that application. To create partitioned datasets, create a new Registered Application for each partition (which will create a new, unique Master Encryption Key), then create Authorized Applications and distribute the API keys they will need access to that partition.
Events: Within the Ubiq Dashboard, under API -> Events, we log every encrypt and decrypt API call that is made for your account.

Security History: Within the Ubiq Dashboard, under Settings -> Account Settings -> Security History, we log user security activity, such as logins, account activity, such as account creation, application activity, such as application registration, and several other categories of information.

The information in both Events and Security history are exportable via CSV.
Keys are loaded into memory only as long as required to encrypt or decrypt data and are flushed from memory afterwards. Libraries are fully capable of multi-threaded operations.
No. Our APIs work on the level of blocks of bytes and can work with any data format or storage medium.
Our platform is designed to be entirely self-service. Please visit our docs page on how to get up and running.
Our platform currently runs in the USA. Our longer-term plans include running components of our platform in other international regions.
We have a simple and transparent licensing model: a flat charge per encrypt API call. See our pricing page for more information.
Not at this time. We have long-term plans to support customer managed KMS/HSM systems. If this is a requirement, please contact us for more information.
API key/credential security is the responsibility of the customer, including account credentials, API Key usage, and access. We encourage our customers to explore the use of industry-vetted secrets management solutions, approaches, and strategies to protect any API keys, passwords, certificates, and other secret material.

We do not currently support the ability to restrict API access by source IP address.
When you subscribe to the Developer plan online, we'll send you an invoice every month. For other arrangements such as enterprise agreements, please contact us and we will work with you on an appropriate strategy for your use case and organization, including invoicing and procurement details.
To help prevent account compromise, you will be logged out after 30 minutes of inactivity.
A KMS only offers a small fraction of the functionality offered by the Ubiq Platform. Our platform builds on a traditional KMS to add encryption policy support, automated key rotation and management, access controls, and an interoperable, open data storage format accessible through our suite of simple APIs.
We encourage our customers to explore the use of industry-vetted secrets management solutions, approaches, and strategies to protect any API keys, passwords, certificates, and other secret material.
Yes. Our client libraries are open source and leverage industry-vetted encryption libraries, and you are free to modify our client libraries to leverage your preferred cryptographic libraries.
A Registered Application represents an application or dataset for which you would like to perform encrypt and decrypt functions.
An Authorized Application represents an application that has the ability to encrypt or decrypt data for a Registered Application.
In a nutshell, parent-child. Whereas the Registered Application is parent and the Authorized Application is child.
A Master Encryption Key, also knowns as a Symmetric Master Key, “is used to derive other symmetric keys (e.g., data encryption keys, key wrapping keys, or authentication keys) using symmetric cryptographic methods.”*
A Data Encryption Key, also known as a Symmetric Data Encryption Key, is “used with symmetric key algorithms to apply confidentiality protection to information.”* Data Encryption Keys are derived leveraging Master Encryption Keys.
Chrome and Safari

* https://en.wikipedia.org/wiki/Cryptographic_key_types