Secure Data Pipelines

Overview

This guide shows how to secure data pipelines and ETL workflows using encrypted containers with cryptographically enforced access control.

Traditional data pipelines rely on infrastructure security, storage permissions, and application logic to protect sensitive data during ingestion, transformation, and analytics. These approaches cannot reliably prevent unauthorized access if storage systems, pipeline infrastructure, or processing environments are compromised.

Locktera secures data pipelines by encrypting data into immutable containers before it enters pipeline infrastructure. Access policies are enforced cryptographically at the time of container decryption. Pipeline systems, ETL jobs, and downstream applications can only decrypt containers if explicitly authorized.

This ensures that sensitive data remains protected throughout the entire pipeline lifecycle—including ingestion, storage, transfer, processing, and analytics—regardless of which platforms or infrastructure are used.

Locktera operates independently of pipeline platforms and can secure data pipelines used with Snowflake, Databricks, Spark, AI pipelines, and enterprise data infrastructure.

What You Will Build

In this guide, you will:

  1. Encrypt a dataset into an immutable container before pipeline ingestion

  2. Store the encrypted container in pipeline storage or staging infrastructure

  3. Grant cryptographic access permission to an authorized pipeline or ETL system

  4. Retrieve and decrypt the container within the authorized pipeline workflow

  5. Verify that unauthorized systems cannot decrypt protected pipeline data

  6. Retrieve audit records to monitor pipeline access and data processing activity

Key Concepts

Cryptographically Secured Pipeline Data

Data is encrypted into containers before entering the pipeline.

This ensures:

  • Sensitive data remains encrypted during storage and transfer

  • Unauthorized pipeline systems cannot decrypt data

  • Pipeline or storage compromise does not expose protected data

  • Access control is enforced independently of pipeline infrastructure

Container contents remain immutable.

Platform-Independent Access Enforcement

Access policies are enforced cryptographically at container decryption.

This ensures:

  • Only authorized pipeline systems can decrypt data

  • Access enforcement does not rely on storage or pipeline security

  • Data remains protected even if pipeline infrastructure is compromised

  • Access policies remain enforceable regardless of storage location

Locktera operates independently of Snowflake, Databricks, or other processing platforms.

Secure Pipeline Storage and Transfer

Encrypted containers can be safely stored in shared infrastructure, including:

  • Object storage systems (S3, Azure Blob, GCS)

  • File systems

  • Data lakes

  • Archive systems

  • Pipeline staging environments

Storage systems cannot decrypt container contents.

Audit Logging of Pipeline Access

Every container decryption request generates an audit record.

Audit logs provide visibility into:

  • Which pipeline accessed the data

  • When access occurred

  • Which identity accessed the container

  • Whether access was authorized or denied

This enables compliance reporting and forensic analysis.

Common Use Cases

This workflow is commonly used for:

  • Securing ETL workflows

  • Securing enterprise data pipelines

  • Protecting analytics pipeline data

  • Securing AI data pipelines

  • Protecting sensitive database exports

  • Securing data stored in shared infrastructure

  • Protecting regulated or confidential datasets

Architecture Flow

Data Source

    │ Encrypt data into container using Locktera

Encrypted Container (.tera)

    │ Store in storage, data lake, or pipeline staging location

Pipeline / ETL / Analytics System

    │ Decrypt container only if authorized

Authorized Data Processing

Unauthorized systems cannot decrypt protected containers.

Prerequisites

  • Locktera API key

  • Dataset or file to process

  • Authorized pipeline system identity

Base URL:

https://share.locktera.com/api/v1

Authentication header:

Authorization: Bearer YOUR_API_KEY

Step 1 — Encrypt Data Before Pipeline Ingestion

Encrypt data into a container before it enters the pipeline.

Request:

manifest.json

{
  "container": {
    "drm": {
      "dynamic": true
    }
  }
}

curl -X POST $BASE_URL/users/{user_id}/containers/encode \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -F "manifest.json=@manifest.json;type=application/json" \
  -F "name=Pipeline Data Container" \
  -F "file=@dataset_export.csv"

Response:

{
  "org_id": "YOUR_USER_ID",
  "container": {
    "uuid": "123e4567-e89b-12d3-a456-426614174000",
    "name": "Pipeline Data Container",
    "created_at": "2026-02-21T18:35:17Z"
  }
}

The dataset is now encrypted and protected.

Store the container_id in your pipeline metadata.

Step 2 — Store Encrypted Container in Pipeline Storage

The encrypted container may be stored in:

  • Object storage

  • File systems

  • Pipeline staging environments

  • Data lakes

  • Archive systems

The container remains encrypted.

Storage systems cannot decrypt container contents.

Step 3 — Grant Access to Authorized Pipeline Systems

Grant decryption permission to authorized pipeline systems.

Request:

curl -X PATCH $BASE_URL/users/USER_ID/containers/CONTAINER_ID/drm \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
        "recipients": [
          "etl-system@company.com"
        ]
      }'

Response:

{
  "org_id": "YOUR_USER_ID",
  "container": {
    "uuid": "123e4567-e89b-12d3-a456-426614174000",
    "recipients": [
      "etl-system@company.com"
    ]
  }
}

Only authorized pipeline systems may decrypt the container.

Step 4 — Authorized Pipeline Decrypts Container

Authorized pipeline retrieves and decrypts the container.

Request:

curl -X GET $BASE_URL/users/{user_id}/containers/{container_id}/decode \
  -H "Authorization: Bearer ETL_PIPELINE_API_KEY"

Response:

{
  "org_id": "YOUR_USER_ID",
  "container": {
    "uuid": "123e4567-e89b-12d3-a456-426614174000",
    "files": [
      { "name": "dataset_export.csv" }
    ]
  }
}

The pipeline may now securely process the data.

Step 5 — Unauthorized Access is Blocked

Unauthorized systems cannot decrypt protected containers.

Request:

curl -X GET $BASE_URL/users/{user_id}/containers/{container_id}/decode \
  -H "Authorization: Bearer UNAUTHORIZED_API_KEY"

Response:

{
  "error": "access_denied",
  "message": "Decryption is not permitted for this container."
}

Protected data remains secure.

Step 6 — Audit Pipeline Access

Retrieve audit records.

Request:

curl -X GET $BASE_URL/users/{user_id}/containers/{container_id}/audit \
  -H "Authorization: Bearer YOUR_API_KEY"

Audit logs provide visibility into:

  • Pipeline access events

  • Access timestamps

  • Authorized and denied access attempts

  • Identity performing access

Security Properties

This workflow ensures:

• Data is encrypted before entering pipeline infrastructure
• Container authenticity and integrity are cryptographically verified
• Unauthorized systems cannot decrypt pipeline data
• Access enforcement is cryptographic and independent of infrastructure
• Access policies remain enforceable regardless of storage location
• Access may be revoked or time-limited at any time
• Container contents remain immutable
• Storage and pipeline compromise does not expose plaintext data
• Pipeline infrastructure compromise alone cannot expose protected data
• All access events are audit logged

Comparison to Traditional Pipeline Security

Traditional pipeline security relies on:

  • Storage permissions

  • Infrastructure access control

  • Application logic

These methods cannot prevent access if infrastructure is compromised.

Locktera enforces access cryptographically.

Pipeline systems cannot decrypt containers without authorization.

Summary

Locktera enables secure data pipelines and ETL workflows by encrypting datasets into immutable containers with persistent cryptographic access control. Only authorized pipeline systems may decrypt and process protected data. This ensures data remains secure throughout ingestion, storage, transfer, and analytics workflows, regardless of which infrastructure or platforms are used.