Encrypting identity graph data using Keymaster

Keymaster is a self-serve encryption feature from Index Exchange (Index) that allows Universal ID providers to protect their identity graph data using asymmetric key pair encryption. For instructions on how to encrypt identity graph data, see Encrypt identity graph data.

How it works

Keymaster has the following two main functions:

  • The collection of keys and key versions for encryption
  • The encryption of identifiers with the keys

The Universal ID provider calls the authentication endpoint to retrieve their access token.


Using their access token and provider ID, the provider calls the Keymaster API to create and then get their RSA public key and key pair version.

The Universal ID provider encrypts the people-based Universal ID using the public key. As part of the standard Optimal Asymmetric Encryption Padding (OAEP) scheme, the Universal ID is further encrypted with a "salt" value. This makes sure that each identifier will be different every time it's encrypted.

The key and key version can be changed or updated at any time. By changing the key version, identity graph providers can gracefully fall back on any previous key pair version if the correct keyID is specified in the response, or they can quickly update to a new key pair version in the event of a graph leakage.

Optionally, Universal ID providers can transmit audience files to Index that are populated with hashed people-based Universal IDs. These audience files should be populated with the identifiers that have been encrypted using the public key created in step 2, so that when they are decrypted, a match can occur.

Every time a user visits a publisher page, the IX Identity Library™ checks to see if there is a cached Universal ID and key version for that user in local storage. If the cached Universal ID and key version are present, no call is made to the Universal ID provider endpoint and the Universal ID and key version are passed directly to the Index ad server (see 5a in the diagram above).

If there is no people-based identifier found in local storage, the IX Identity Library calls the Universal ID provider endpoint. Universal ID providers respond with the key version and associated people-based identifier, which is encrypted with the public key (see 5b in the diagram above).

Note: For every network call, the encrypted Universal ID for a user rotates because of the salt value attached to it, making it virtually impossible for a third party to intercept.

The IX Identity Library collects the encrypted Universal ID and passes it to the ad server, which ingests both the public key-encrypted Universal ID and the key version. The key version instructs Index on which version of the private key to use to decrypt the public key-encrypted Universal ID.

Optionally, the decrypted Universal ID can now be used for audience lookups in the Index ad server against the hashed identifiers that were previously sent in the audience file transfer in step 4.