UIDAI’s Aadhaar Number Regulation Compliance

Thales eSecurity can help you comply with key Aadhaar provisions



Active now

UIDAI’s Aadhaar Number Regulation Compliance

The Unique Identification Authority of India (UIDAI) was established under the provisions of India’s 2016 Aadhaar Act. UIDAI is responsible for issuing unique identification numbers (UIDs), called Aadhaar, and providing Aadhaar cards to all residents of India. The 12-digit UIDs are generated after the UIDAI verifies the uniqueness of enrollees’ demographic and biometric information; UIDAI must protect individuals’ identity information and authentication records.

Thales eSecurity can help your organization comply with many of the regulations and mandates required for Aadhaar.

The following standards are excerpted from the “UIDAI Information Security Policy – UIDAI External Ecosystem – Authentication User Agency/KYC User Agency” section of UIADAI’s 30 April 2018 update of its Compendium of Regulations, Circulars & Guidelines for (Authentication User Agency (AUA)/E-KYC User Agency (KUA), Authentication Service Agency (ASA) and Biometric Device Provider) [The Compendium]:

User Access Control

2.6 Access Control
1. Only authorized individuals shall be provided access to information facilities (such as Authentication application, audit logs, authentication servers, application, source code, information security infrastructure etc.) processing UIDAI information

Encryption of Data at Rest and in Motion

2.8 Cryptography
1. The Personal Identity data (PID) block comprising of the resident’s demographic / biometric data shall be encrypted as per the latest API documents specified by the UIDAI at the end point device used for authentication (for e.g. PoT terminal)

Encryption Key Management

2.8 Cryptography
6. Key management activities shall be performed by all AUAs / KUAs to protect the keys throughout their lifecycle. The activities shall address the following aspects of key management, including;

  • a) key generation;
  • b) key distribution;
  • c) Secure key storage;
  • d) key custodians and requirements for dual Control;
  • e) prevention of unauthorized substitution of keys;
  • f) Replacement of known or suspected compromised keys;
  • g) Key revocation and logging and auditing of key management related activities.
Database Access Logging

2.10 Operations Security
12. AUAs/KUAs shall ensure that the event logs recording the critical user-activities, exceptions and security events shall be enabled and stored to assist in future investigations and access control monitoring;

13. Regular monitoring of the audit logs shall take place for any possible unauthorized use of information systems and results shall be recorded. Access to audit trails and event logs shall be provided to authorized personnel only

Tokenization of Aadhaar numbers

This guidance is from Circular 11020/205/2017 in The Compendium:

In order to enhance the security level for storing the Aadhaar numbers, it has been mandated that all AUAs/KUAs/Sub-AUAs and other entities that are collecting and storing the Aadhaar number for specific purposes under the Aadhaar Act 2016, shall start using Reference Keys mapped to Aadhaar numbers through tokenization in all systems.

(a) All entities are directed to mandatorily store Aadhaar Numbers and any connected Aadhaar data (e.g. eKYC XML containing Aadhaar number and data) on a separate secure database/vault/system. This system will be termed as “Aadhaar Data Vault” and will be the only place where the Aadhaar Number and any connected Aadhaar data will be stored.

(c) Each Aadhaar number is to be referred by an additional key called as Reference Key. Mapping of reference key and Aadhaar number is to be maintained in the Aadhaar Data Vault.

(d) All business use-cases of entities shall use this Reference Key instead of Aadhaar number in all systems where such reference key need to be stored/mapped, i.e. all tables/systems requiring storage of Aadhaar numbers for their business transactions should from now onwards maintain only the reference key. Actual Aadhaar number should not be stored in any business databases other than Aadhaar vault.

Compliance Summary

Thales eSecurity can help you meet the many of the requirements UIDAI’s Aadhaar Number Regulation through the following:

User Access Control: Vormetric Data Security Manager

Thales eSecurity’s Vormetric Data Security Manager enables the organization to limit user access privileges to information systems that provide access to nonpublic Information.

Encryption of Data at Rest: Vormetric Transparent Encryption

Thales eSecurity’s Vormetric Transparent Encryption solution protects data with file and volume level data-at-rest encryption, access controls, and data access audit logging without re-engineering applications, databases or infrastructure. Deployment of the transparent file encryption software is simple, scalable and fast, with agents installed above the file system on servers or virtual machines to enforce data security and compliance policies. Policy and encryption key management are provided by the Vormetric Data Security Manager.

Encryption Key Management: Vormetric Integrated Key Management

Thales eSecurity’s Vormetric Integrated Key Management unifies and centralizes encryption key management on premises and provides secure key management for data storage solutions. Cloud Key Management products include the CipherTrust Cloud Key Manager for centralized multi-cloud key life cycle visibility and management with FIPS-140-2 secure key storage.

Database Access Logging: Security Intelligence Logs

The Vormetric Platform’s Security Intelligence Logs let your organization identify unauthorized access attempts and to build baselines of authorized user access patterns. Vormetric Security Intelligence integrates with leading security information and event management (SIEM) systems that make this information actionable. The solution allows immediate automated escalation and response to unauthorized access attempts, and all the data needed to build behavioral patterns required for identification of suspicious use by authorized users, as well as training opportunities.

Tokenization of Aadhaar Numbers: Vormetric Tokenization with Dynamic Masking

Vormetric Vaultless Tokenization with Dynamic Data Masking dramatically reduces the cost and effort required to comply with security policies and regulatory mandates, such as Aadhaar. The solution delivers capabilities for database tokenization and dynamic display security. Now you can efficiently address your objectives for securing and anonymizing sensitive assets—whether they reside in data center, big data, container or cloud environments.

Compliance Brief : Complying with UIDAI’s Aadhaar Number Regulations

The Unique Identification Authority of India (UIDAI) was established under the provisions of India’s 2016 Aadhaar Act. UIDAI is responsible for issuing unique identification numbers (UIDs), called Aadhaar, and providing Aadhaar cards to all residents of India. Learn how Thales can help your organization comply with many of the regulations and mandates required for Aadhaar.


Data Sheet : Platform Data Sheet

The Vormetric Data Security Platform makes it efficient to manage data-at-rest security across your entire organization. Built on an extensible infrastructure, Vormetric Data Security Platform products can be deployed individually, while sharing efficient, centralized key management.


Solution Brief : Vormetric Tokenization with Dynamic Data Masking

Tokenization and data masking – anonymizing data for security and compliance. The Vormetric Data Security Platform features tokenization capabilities that can dramatically reduce the cost and effort associated with complying with security policies and regulatory mandates like the Payment Card Industry Data Security Standard (PCI DSS).


Other key data protection and security regulations

Philippines Data Privacy Act

GDPR Thumbnail


Active now

The Philippines Data Privacy Act adopts international principles and standards for personal data protection and apply to the processing of personal data across both government and private sector.

Learn More

South Korea’s PIPA

GDPR Thumbnail


Active now

One of the strictest data protection regimes in the world, it is supported by two pieces of sector specific legislation related to IT and communications networks and the use of credit information.

Learn More

Australia Privacy Act



February 2018

Australia's Privacy Act establishes a mandatory requirement to notify the Privacy Commissioner and affected individuals of data breaches. It will take effect on February 22, 2018.

Learn More
규제 준수 전문가와 연락하기 연락하기
GDPR을 준수하고 계십니까? 테스트해보기
규정 및 규제준수 핸드북 읽기 eBOOK 읽기
인터액티브 동영상 시청하기(영문) 알아보기
라이브 데모 요청하기 요청하기
전문가와 상담하기 연락하기