Peacemakr
FAQ

Peacemakr is a system that delivers key material across a complex ecosystem of software and helps that software use those keys correctly to encrypt and decrypt data. Open-source SDKs allow your software to integrate End-to-End-Encryption into any application quickly.

SSL/TLS only protects data when it is in transit. Encryption at rest only protects data when it is on disk. Both of these leave data exposed everywhere else. Bad actors can still steal the data from databases, applications, logs, proxies, or even just by reading a file.

End-to-End-Encryption protects your data immediately upon creation and keeps it encrypted across your complex ecosystem of software. Your data’s entire lifecycle is now protected, eliminating unnecessary risks of data leaks.

For example, consider a log collection system that transmits data to a log aggregator. If you only encrypt with TLS, then the logs are exposed to both the original system and the aggregator. However, by encrypting the logs with Peacemakr’s End-to-End-Encryption, the logs are protected full their full lifecycle. The End-to-End-Encryption enables customers to use a SaaS provider to aggregate logs without trusting a multi-tenant cloud.

The security of your encrypted data depends on the protection and management of your keys. Building a Key Lifecycle Management and Secure, Scalable Key Delivery mechanisms are not trivial engineering tasks. Further, there’s no standard to help guide what the design should be. Since there is no standard, designing a new system always takes time, and implementation mistakes are incredibly costly. In-house solutions prohibit interoperability and collaboration between different companies, often becoming requirements later as your business grows.

Keys come from your Key Derivers. Everyone starts with a Key Deriver in the cloud, but you can run these modular components wherever you need.

The Key Deriver is what produces all your symmetric keys. It’s a software package that you can run on any Unix platform.

It depends on your threat model. To take advantage of our zero-trust feature, your Key Deriver must be self-hosted. This way, your keys are safeguarded against the same threat models as your self-hosted Key Deriver.

To make things easy, we host your first Key Deriver in the cloud. If you need to bring your Key Deriver in-house, you can relocate your Key Deriver at any time. You can relocation it over and over; in fact, you can do it any time you rotate your keys.

A client is any software that integrates with an SDK. Once a key is derived, it's encrypted with the client's public asymmetric key and delivered to that specifically authorized client. Not even Peacemakr can snoop on that key material. For the most robust zero-trust threat model, you'd need to whitelist your trusted Certificate Authority and issue your clients and Key Derivers an X.509 certificate (yes, we have an API for that).

No. All encryption, decryption, signing, and verifications happen in your client.

All encryptions and decyprtion happen directly in your client. Your data never leaves your client.

Yes. Peacemakr supports authorized collaborations. As long as the receiving party integrates with Peacemakr and is an authorized collaborator, they will be able to decrypt your data. As soon as you remove a collaborator, you remove their access to your keys.

Peacemakr's network provides the basis for secure collaboration.

At Peacemakr, we divide our customers into Organizations. Your account belongs to an Organization that defines an authorization scope for your keys. You can share some of the keys in your Organization with any Organization in the Peacemakr network. Even when you authorized a collaborator, you control your keys and security policies, even in someone else's system. You can end a collaboration at any time, and their access to your keys.

Yes. Once keys and security policies are delivered to a client, the client can encrypt and decrypt offline. You can either pre-install keys or the client can jump online at least once to receive key material from your Key Derivers.

Hashicorp's API-driven your software sends data to Vault, and it encrypts or decrypt it for you. The Vault service not only becomes a single point of failure because it holds all the keys, but, it gets to see all your secret data in the clear. Besides, it's an entire service that you have to standup and run inhouse.

With Peacemakr it's your application that encrypts and decrypts data locally (via our open-source SDKs), so your data never leaves your application with Peacemakr. This is what makes Peacemakr End-to-End-Encrypted.

Separate security domains are the ultimate form of data ownership and control. By manipulating key access you can securely grant and revoke access on a case by case basis. Additionally, since key accesses are logged and each encrypted object can be uniquely identified, it allows your data to have complete access tracking for any (or all) data object(s) in your system.