BrandKwikID Documentation
Aadhaar Vault

Reference Keys

What Reference Keys are, how tokenization works, and how they replace Aadhaar numbers

Reference Keys and Tokenization

This section explains Reference Keys, how they shrink the footprint of Aadhaar, and how you use them across your systems.

What Are Reference Keys?

Under UIDAI guidelines:

  • Reference Key is an extra key you use to refer to each Aadhaar number. The link between that key and the Aadhaar is kept only in the Aadhaar Data Vault.
  • Goal: Reduce where Aadhaar appears in your systems and cut the risk of unauthorized access. Aadhaar is “Identity Information” under the Aadhaar Act 2016 and can identify residents. Storing it in fewer places reduces exposure.

In practice: Use Reference Keys in all your business databases (existing and new) instead of Aadhaar. Use the real Aadhaar only inside the vault, and only when you have a valid, authorized reason.

How Reference Keys Work

  • Generation: When you first store an Aadhaar, the vault creates a unique Reference Key (e.g. UUID in hex). The key is designed so you can’t work backward from the key to get the Aadhaar.
  • Storage: Your systems store only the Reference Key. The vault keeps the mapping and the encrypted Aadhaar (and any linked data).
  • Resolution: When an app needs the Aadhaar for an allowed purpose, it calls the vault API with the Reference Key. The vault checks the request, logs the access, and returns the decrypted value only if allowed.

Tokenization and Data Masking

  • Tokenization: Using Reference Keys instead of Aadhaar everywhere (except the vault) is the main tokenization approach UIDAI requires.
  • Data masking: In logs, UIs, and reports we mask Aadhaar. Outside the vault you see only the Reference Key or a masked form (e.g. last 4 digits where policy allows). Full Aadhaar is only available through the vault API, with strict access control and logging.

Scope: Replacing Aadhaar in Existing Databases

As part of the implementation:

  1. Find all databases and systems that store Aadhaar today.
  2. Migrate each Aadhaar into the vault and get back its Reference Key.
  3. Replace the Aadhaar in the database with that Reference Key. Leave no Aadhaar copy in that DB.
  4. Update apps to use Reference Keys for linking and display, and to call the vault API only when they really need the Aadhaar for a compliant use.

That way Aadhaar lives only in the vault, as UIDAI requires.

Benefits

  • Smaller footprint: Aadhaar in one place (the vault) means less exposure and lower breach risk.
  • Non-reversible: Reference Keys (e.g. UUID-based) don’t let you derive the Aadhaar.
  • Compliance: Matches UIDAI circulars and the Aadhaar (Authentication) and (Sharing of Information) Regulations 2016.

Next Steps

Architecture

Design, technical specifications, and deployment model for the Aadhaar Data Vault

Security and Compliance

Encryption, access control, network isolation, and UIDAI compliance for the Aadhaar Data Vault

On this page

Reference Keys and TokenizationWhat Are Reference Keys?How Reference Keys WorkTokenization and Data MaskingScope: Replacing Aadhaar in Existing DatabasesBenefitsNext Steps