Virgil PureKit: Protect Passwords and Stored Data With Post-Compromise Security

Virgil PureKit: Protect Passwords and Stored Data With Post-Compromise Security

Rebecca Yarbrough — March 18th, 2019

PureKit, by Virgil Security, is a developer toolkit for protecting passwords and stored data so that they remain secure even if the database itself is compromised.

Primary Features:

  1. End-users control their data and keys
  2. Achieve true compliance with GDPR, HIPAA, PCI DSS, and more
  3. Near impossible to crack passwords
  4. Zero Trust key management


Any form of encryption is only as strong as the methods used to protect the encryption key, and most systems still struggle to truly separate the protected data from its key or other decryption methods. For example, an attacker who gets access to a password database can first launch an offline dictionary attack to obtain user passwords, then log in as these users and “legitimately” request the online service provider to perform decryption. Even worse, an insider or a persistent attacker who obtains the encryption key can download the entire database and perform decryption offline.

To defend against such attacks, external crypto services can completely separate encrypted data from the decryption functionality. This ensures that data encryption cannot be reverse-engineered and any decryption must be authorized with the cooperation of the crypto service – even offline. This is how Virgil Security’s PureKit solution functions.

How Data Protection Works in Your Infrastructure Now

Option #1. Unprotected Database. Traditional data storage: users (end-users or admins) go through authentication with the Application Service Provider using their authentication credentials (e.g. login and password) and then data is sent to a database (e.g. cloud storage provider)

Approach Disadvantages

  1. Data is stored unprotected; all authorized users and cloud providers have access to the data.
  2. If hackers steal the database, they will have access to data without minimal effort.
  3. The data is not under the control of the user, and the user cannot know exactly who else has access to it and for what purpose.

Option #2. Encrypting Entire Database. Same flow as the traditional approach mentioned above but with the ability to encrypt the whole database using an encryption key provided by the Cloud Storage Provider.

Approach Disadvantages

  1. If hackers steal both the encrypted database and the encryption key, they can decrypt the entire database and have access to all the stored data
  2. In most cases, the database encryption key is stored in the cloud and accessible to the Cloud Storage Providers and admins
  3. The encryption key and data are accessible to any person authorized to perform operations on the data in database
  4. If data has to be shared with third-party services, they will need an encryption key to decrypt the needed data. Therefore, admins will have to share the encryption key with third parties or store data in an unprotected way.
  5. The data is not under the control of the user, and the user cannot know exactly who else has access to it and for what purpose.

Option #3. Separate Encryption Key Management. This approach provides developers with a separate database that contains encryption keys that have different purposes, such as role-based encryption, user-based encryption, keys for external services, etc.

Approach Disadvantages

  1. Access to all encryption keys is protected by credentials like login ID and password (or password hash), which are stored in the same database as the encryption keys. If hackers use the access credentials to steal database, they can use a brute force attack to access the encryption key and then decrypt the protected data.
  2. The Cloud Storage Provider has access to all the secret credentials, therefore it has access to database with encryption keys, undermining the whole system.
  3. Neither Microsoft Azure nor AWS or other providers provide a solution for protecting data beyond the inevitable database compromise.
  4. Neither Microsoft Azure nor AWS or other providers provide user-specific encryption. Every provider just allows you to encrypt data with encryption keys at the same time key is not under the control of the user, and the user cannot know exactly who uses which data
  5. Users can’t control data that is shared with 3rd party services (as it’s required by GDPR or other data protection regulations)

How Data Protection Can Work With PureKit

Virgil Security’s PureKit, an implementation of the Password-Hardened Encryption (PHE) protocol – is a powerful and revolutionary cryptographic technology that provides stronger and more modern security, secures user data and passwords, and reduces the security risks associated with weak authentication credentials (e.g. passwords).

Fundamentally, it links the encryption of a password and data record to its own keypair, meaning that an individual user can control access to their protected personal data or a system admin can control groups of encrypted data without compromising the rest of the system. It also separates the authentication credentials, cryptographic credentials and protected data so that data cannot be decrypted by unauthorized users or outside of the database in an offline attack. Access to protected data can be granted by giving other parties, like an external billing system, encryption access keys to only the data they are authorized to see.

Virgil PureKit is an open-source server-side framework for users' passwords and data protection in databases.

PureKit brings password-based security to a new level in three ways:

  1. Impossible to crack passwords. PureKit provides password hardened encryption (PHE) and replaces password hashing in a way making it impossible to run offline and online attacks. By coordinating a standalone cryptographic service dedicated to implementing the PHE protocol, PureKit creates a unique user record that is associated with the user password. At the same time, user password is never stored in any database and never transmitted to any service in any form.
  2. End-users control their data and keys. PureKit gives users the ability to encrypt their data with personal encryption keys, divide encryption keys into groups and securely share data with other users and services. Users don't store their private keys and keys can be revealed only after providing a correct password.
  3. Data is safe, even the database is stolen. PureKit provides post-compromise security. Even if your database has been compromised, it impossible to run offline attacks, retrieve user passwords or decrypt data. At the same time, PureKit provides a convenient and secure key rotation procedure that allows you to quickly update all your server keys without losing access to your data.
  4. Compliance with GDPR, HIPAA, PCI DSS and more. If you’re entrusted with personal data, you’re responsible for protecting it. PureKit allows you to integrate strong data protection and become compliant with the most data privacy standards and laws.

PureKit Features

Virgil PureKit is a framework of services and tools to deliver a suite of security protections:

  1. Password-hardened encryption. You won’t store users' passwords or its hashes. PureKit protects user or internal passwords from data breaches and both online and offline attacks.
  2. Per-user encryption. PureKit features strong and fast data encryption of any size file on a per-user basis.
  3. Role-based encryption. PureKit provides you with functionality  to create and manage groups (roles), and use scopes (permissions) to allow and deny their access to encryption keys that are used encrypt to resources like files and data
  4. Secure Data and Files Sharing. PureKit allows you and your users securely share data using Virgil key management services.
  5. Encryption occurs independently of database security. PureKit provides end-to-end encryption, therefore, data security doesn’t rely on any device, network or cloud provider
  6. Post-Compromise Security. By requiring simultaneous access to the database and the remote crypto server to unlock protected records, PureKit allows you to protect sensitive data like PII, PHI, and passwords from unauthorized access even if the database or other online storage facility is compromised.
  7. Zero-knowledge of user passwords and secret keys. PureKit provides data and password encryption in a way that prevents any possibility for unauthorized parties to know anything about a password or encryption key. Also, Virgil Security has no access to your data.
  8. Instant invalidation of stolen databases. PureKit allows rotating keys and records remotely, in case the database has been stolen.

For details on the cryptography powering PureKit, please see the Virgil PureKit White Paper.

What We Offer

#Product/Service typesDescriptionStatus
1Security Framework PureKitA security framework that consists of services and libraries for developers for strong protection of passwords and data In databases.Ready to use
2Integration with any databases like Azure, AWSVirgil can integrate PureKit into any database infrastructure and provide this solution according to customer preferences. It can be done as a Plugin, Portal, Application etc. Integration also includes ongoing expert consulting from Virgil Security on security or related topics. Performing operations related to the deployment of new technology without disrupting user productivity.Can be done upon customer request

Who Should Use It?

PureKit can be used with any password-based authentication scheme. Wordpress site managers can use our free Wordpress plugin for password protection.

Developers collecting and storing sensitive information can use PureKit to protect this data - and themselves - while complying with regulations like HIPAA, GDPR, and PCI DSS.

Security technology is always evolving, and yesterday’s practice salting and hashing or storing the key in your database is no longer acceptable. Developers now have access to better, stronger technology like PureKit that can better prevent data breaches.

Get Started

Want to see how it works? Sign up for a free Virgil Security account and create a project application in the developer dashboard. Learn more in the PureKit documentation here.

Join our Slack community to connect with the Virgil Security development team and learn more.

Virgil Security, Inc. builds developer toolkits that solve business problems by encrypting data and therefore lessening legal and compliance liability. Teams can secure their application data with end-to-end encryption, manage devices across a network, and secure passwords and PII in the database using Virgil's suite of open source SDKs. Founded in 2014, Virgil  Security is headquartered in Manassas, Virginia.To learn more, visit