UIDAI’s Aadhaar Number Regulation Compliance

nCipher can help you comply with key Aadhaar provisions



Active now

UIDAI’s Aadhaar Number Regulation Compliance

The Unique Identification Authority of India (UIDAI) was established under the provisions of India’s 2016 Aadhaar Act. UIDAI is responsible for issuing unique identification numbers (UIDs), called Aadhaar, and providing Aadhaar cards to all residents of India. The 12-digit UIDs are generated after the UIDAI verifies the uniqueness of enrollees’ demographic and biometric information; UIDAI must protect individuals’ identity information and authentication records.

nCipher can help your organization comply with many of the regulations and mandates required for Aadhaar.

The following standards are excerpted from the “UIDAI Information Security Policy – UIDAI External Ecosystem – Authentication User Agency/KYC User Agency” section of UIADAI’s 30 April 2018 update of its Compendium of Regulations, Circulars & Guidelines for (Authentication User Agency (AUA)/E-KYC User Agency (KUA), Authentication Service Agency (ASA) and Biometric Device Provider) [The Compendium]:

User Access Control

2.6 Access Control
1. Only authorized individuals shall be provided access to information facilities (such as Authentication application, audit logs, authentication servers, application, source code, information security infrastructure etc.) processing UIDAI information

Encryption of Data in Motion

2.8 Cryptography
2. The PID shall be encrypted during transit and flow within the AUA / KUA ecosystem and while sharing this information with ASAs

Encryption Key Management

2.8 Cryptography
6. Key management activities shall be performed by all AUAs / KUAs to protect the keys throughout their lifecycle. The activities shall address the following aspects of key management, including;

  • a) Key generation;
  • b) Key distribution;
  • c) Secure key storage;
  • d) Key custodians and requirements for dual Control;
  • e) Prevention of unauthorized substitution of keys;
  • f) Replacement of known or suspected compromised keys;
  • g) Key revocation and logging and auditing of key management related activities.
The use of FIPS 140-2 Certified HSMs for Cryptographic Key Protection

This guidance is from Circular 11020/205/2017 in The Compendium:

(f) The Aadhaar number and any connected data maintained on the Aadhaar Data Vault shall always be kept encrypted and access to it strictly controlled only for authorized systems. Keys for encryption are to be stored in HSM devices only.

nCipher can help you meet several of the requirements of UIDAI’s Aadhaar Number regulation through:

The Use of FIPS 140-2 Certified HSMs for Cryptographic Key Protection: nShield HSMs

nCipher HSMs provide a hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption and more. Certified at FIPS 140-2 Levels 2 and 3, nCipher HSMs support a variety of deployment scenarios, including Cloud Bring Your Own Key. nShield Connect and Solo HSMs also provide a secure environment for running sensitive applications.

Strong User Authentication

nCipher HSMs can help you create high-assurance systems to authenticate users and devices using enterprise systems, limiting accessing to only authorized entities.

Brochure : nCipher HSM brochure

nShield HSMs provide a hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption and more. Available in three FIPS 140-2 certified form factors, nShield HSMs support a variety of deployment scenarios.


Other key data protection and security regulations

Philippines Data Privacy Act

GDPR Thumbnail


Active now

The Philippines Data Privacy Act adopts international principles and standards for personal data protection and apply to the processing of personal data across both government and private sector.

Learn More

South Korea’s PIPA

GDPR Thumbnail


Active now

One of the strictest data protection regimes in the world, it is supported by two pieces of sector specific legislation related to IT and communications networks and the use of credit information.

Learn More

Australia Privacy Act



February 2018

Australia's Privacy Act establishes a mandatory requirement to notify the Privacy Commissioner and affected individuals of data breaches. It will take effect on February 22, 2018.

Learn More
Contact a Compliance Specialist Contact Us
Want to be part of our team? Explore
Get in contact with a specialist Contact Us