END-TO-END-VERSCHLÜSSELUNG BEI FLAM
Encrypt once, use everywhere - encrypted
Conventional encryption systems distinguish between “data at rest” (storage) and “data in transit” (transfer).
The problem with this is that data must be constantly encrypted and decrypted. This creates critical points during backup, transmission, and any processing.
FLAM takes a different approach. It relies on end-to-end encryption without interruption. The data is encrypted once when it is created. After that, it remains encrypted – during storage, transmission, and even when searching.
The result is fewer points of attack, lower energy consumption, and greater security. You retain full control down to the column level without unnecessarily exposing your data.
FLAM integrates seamlessly into your existing infrastructure, whether it is based on OpenPGP, KMIP (OpenSSL), or HSM-based solutions. It can work with any common key management system.
As we are protecting persistent data sets, we recommend professional key management systems such as IBM DKMS/EKMF with a central key repository and backup strategy for all static keys, especially for the repository keys that protect your archives.
MORE SECURITY. MORE CONTROL. MORE POSSIBILITIES.
SEPARATE KEYS – CLEAR CONTROL
Three keys for three access levels
FLAM works with three separate keys that enable hierarchical access.
With the directory key, you can only read the table of contents. The member key also allows you to search the encrypted archive contents. Only with the data key do you get full access to the actual contents..
GRANULAR RIGHTS – DOWN TO THE COLUMN LEVEL
Precise control over every data access
In addition to the three key levels, you can restrict rights even further: to certain files, specific data formats, or even individual columns.
The display of blocked content can be customized, e.g., with asterisks, random values, or only the first/last characters (masking). This allows individual columns to be anonymized for certain users.
TWO-LEVEL KEY MANAGEMENT
One repository key protects everything
Your company has a repository key that protects all three session keys. If necessary, these session keys are re-encrypted for authorized users—without having to touch the data itself.
Each user, department, or division can also set up a repository key.
KEY DERIVATION & INTEGRITY PROTECTION
Each segment is individually protected
A specific key is derived for each data segment – from the session key, a random number, a sequential number, and a checksum over the segment header. Each segment receives both an encryption and an integrity protection key.
Maximum security: Anyone who manipulates the header automatically destroys the key. A compromised segment does not jeopardize the entire archive.
DATA CAPTURE: ENCRYPT ONCE
Intelligent encryption directly at the point of origin.
FLAM automatically analyzes the properties of your data and applies the optimal encryption strategy:
TLS, OpenPGP, S/MIME, AES, PKI/SKI
FLAM uses established encryption standards – exactly the ones your systems and partners expect anyway. No special paths, no obstacles.
COMPATIBLE WITH ALMOST ALL OPEN DATA FORMATS
Whether it's payment data, forms, or log files, FLAM processes your data formats without detours or expensive special solutions.
DATA USE: USE EVERYWHERE ENCRYPTED
Full functionality without decryption
The encrypted data remains protected in all usage scenarios:
SELECTIVE SEARCH WITHOUT HAVING TO DECRYPT DATA FIRST
To do this, a so-called “Bloom filter” is generated and sent to the archive. Only if there is a match does the archive send back the segments, which are still compressed, encrypted, and signed. This means that only the bare minimum is sent over the line.
DECRYPTION ONLY WHERE IT IS NEEDED
The data always remains encrypted in the archive. Decryption takes place exclusively locally, after recoding, and only by authorized users.
SUPPORTS MODERN HARDWARE SECURITY MODULES
FLAM supports proven hardware security modules such as NetHSM, IBM CCA, and PKCS#11-based devices. This ensures that your data remains protected even against insider attacks (or successful hackers).
WHY FLAM ENCRYPTION IS SO STRONG – AND SO FLEXIBLE
Instead of rigid all-or-nothing encryption, FLAM relies on fine-grained key separation. This ensures that access rights, encryption, and data structure can be clearly separated and controlled in a targeted manner.
Key cascades and multi-level session key sets can be used to define exactly who is allowed to view or edit which data. The remaining information does not need to be decrypted or moved.
This means that data remains:
- compressed and encrypted,
- controlled accessible,
- and efficiently transferable
ANONYMIZED MEANS ANONYMIZED
Not every user needs access to all data. With FLAM, you can precisely determine who is allowed to see which columns and how restricted content is displayed.
ANONYMIZATION IS A TRUE ONE-WAY FUNCTION:
The original data cannot be traced back from the data provided.
The real data remains secure in the compressed and encrypted segment. During output, the FLAM kernel replaces the protected columns with the selected anonymization method – the original data never leaves the system.
The rights holder determines which method is used for which column. This allows statisticians to work with the archive without seeing sensitive data.
SECURE IN USE. EXAMPLES FROM real world applications
FLAM meets the highest security requirements and is used exactly where it really matters: in government agencies, banks, critical infrastructures, and international data processes.
SECURE CLIENT COMMUNICATION
A bank anonymizes sensitive columns (e.g., credit card numbers) and transfers encrypted data records to its partners or other applications so that they are no longer within the scope of PCIDSS. Secure, standards-compliant, and without additional software.
ACCESS-PRECISE ARCHIVING IN THE DATA CENTER
An IT service provider stores millions of data records in encrypted backups. Thanks to FLAM, specific data records can be found and extracted, modified, deleted, or supplemented – without decrypting the entire archive.
DATA SHARING WITHOUT DATA LEAKS
A research institution passes on structural evaluations (e.g., statistical distributions) without disclosing the real data. Perfect for AI analyses, third-party studies, or funding projects.
- Complies with standards such as PCI DSS, GDPR, BSI TR-02102
- Supports certified key infrastructures (e.g., PKI, HSM, IBM CCA, FINPIN, KMIP)
- Used by: central banks, telecommunications companies, energy companies, tax authorities, clearing houses, the automotive industry, and many more
- 100% backward compatible and auditable – made & maintained in Germany
Encrypt smarter—not harder.
With FLAM, you can protect your data efficiently and specifically without slowing down your processes.