Unique Identification Authority of India

Frequently Asked Questions (FAQs)

Aadhaar Data vault / Reference keys
(updated as on 28.07.2022)

1. What is Aadhaar Data Vault

Aadhaar Data Vault is a centralized storage for all the Aadhaar numbers collected by the
AUAs/KUAs/Sub-AUAs/ or any other agency for specific purposes under Aadhaar Act
and Regulations thereunder. It is a secure system inside the respective agency’s
infrastructure accessible only on need to know basis.

2. What is the objective of Aadhaar Data Vault

Aadhaar number has been identified as “Identity Information” under the Aadhaar Act
2016 and can uniquely identify residents in India. Since Aadhaar number is a lifetime
identity for Indians and shall be used to avail various services including services
involving financial transactions, unauthorized access to Aadhaar number may be
misused in many ways.

Objective of Aadhaar Data Vault is to reduce the footprint of Aadhaar numbers within
the systems / environment of the organization hence reduce the risk of unauthorized
access.

3. Who needs to implement Aadhaar Data Vault

All agencies which store Aadhaar number are required to create an Aadhaar data vault.
These agencies may or may not be AUAs/KUAs/Sub-AUAs. They could be an
organization that stores Aadhaar numbers for internal identification purposes such as
attendance management, linking with PF etc. All the agencies that store Aadhaar
numbers in a structured and electronic form such as a Database need to implement
Aadhaar Data Vault.

Page 1 of 6
 Unique Identification Authority of India

4. Are there any implementation guidelines for Aadhaar Data Vault

The implementation of Aadhaar Data vault needs to meet the objective of the Circular
No.K-11020/205/2017-UIDAI (Auth-I) dated 25.07.2017.

5. Which encryption algorithm is required for encryption of Aadhaar

numbers and related data in the Aadhaar Data Vault as per the requirement
of the circular

The encryption algorithm/ key strength for Aadhaar Data Vault needs to be same as per
specifications for Auth/ eKYC API viz. RSA 2048 for public key encryption and AES 256
for symmetric encryption.

6. Is it required to have separate VLAN for the Aadhaar Data Vault

The Aadhaar Data Vault containing Aadhaar number/data and the referencing system
must be kept in a highly restricted network zone that is isolated from any untrusted
zone and other internal network zones. Agencies may create only a virtual separation for
Aadhaar data vault, however such agencies need to ensure they comply with the
requirements of the notice such as access control, logical segregation in zones etc.

7. What are reference keys

In order to reduce the footprint of Aadhaar numbers in the ecosystem, each Aadhaar
number is to be referred by an additional key called as Reference Key. These keys will
replace Aadhaar numbers in the organizations ecosystem and mapping of reference key
and Aadhaar number is to be maintained in the Aadhaar Data Vault.

Page 2 of 6
 Unique Identification Authority of India

8. Is it possible to use existing unique values, such as Bank account

numbers or PAN numbers, for a user to be used as reference keys.

The organization may use any reference keys as long as it can be uniquely mapped to the
respective Aadhaar numbers and meets the requirement of the Circular No.K-
11020/205/2017-UIDAI (Auth-I) dated 25.07.2017 such as Aadhaar numbers should
not be predictable if corresponding reference keys or set of keys are available.
Organization should consider other implications of using Bank account / PAN card as
reference keys which may be local to the environment.

9. Can existing HSMs be used for storing the encryption keys

Agencies may use the existing HSMs. HSMs used to store the keys for encryption of
Aadhaar data vault cannot be shared with any other agency / legal entity. Security of the
partitions storing Aadhaar data vault keys need to be ensured by the agency.

10. How are the scanned/physical copies of the Aadhaar numbers be

stored in the Aadhaar Data vault

For the agencies which store the scanned images of Aadhaar cards or physical copies of
Aadhaar cards as per TRAI / RBI etc., the storage of scanned images or physical cards
do not come in scope of this notice or requirement. The agencies need to keep the
scanned copies encrypted and ensure security of both scanned copies and physical
copies as per Aadhaar Act and Regulations thereunder. Agency should ensure
compliance to the security and privacy requirements for storage of scanned images or
hard copies as per Aadhaar Act and Regulations thereunder.

Page 3 of 6
 Unique Identification Authority of India

11. Can Aadhaar number be used for resetting password as security

questions

Some agencies are storing Aadhaar number to be able to answer the security question
for a password reset request. These agencies cannot store the Aadhaar number
anywhere else apart from the Aadhaar data vault and they come in scope of the
requirement.

12. Can multiple reference keys be generated and used with a single
Aadhaar

Multiple reference keys may be generated for a single Aadhaar if there is such business
case which requires to refer one Aadhaar number by different reference keys in the
internal ecosystem of the agency. In such case, the agency shall ensure compliance to
the other requirements of the Circular No.K-11020/205/2017-UIDAI (Auth-I) dated
25.07.2017.

13. Is it required to replace all the Aadhaar number with the reference
keys which are being used in the existing infrastructure in multiple
databases

Agency needs to create an Aadhaar data vault and replace Aadhaar numbers in all
existing databases with the respective reference keys even if Aadhaar number is stored
encrypted in several databases within the agency.

14. Can the hash of Aadhaar be used as reference keys

Agency / Organization may choose any method for generation of reference key. The
chosen Reference Key generation method is to ensure that the recovery of the original
Aadhaar number must not be computationally feasible knowing only the reference key
or number of reference keys. It is suggested that a UUID (Universally Unique Identifier

Page 4 of 6
 Unique Identification Authority of India

represented via hex string) scheme be used to create such reference key so that from
such reference key, Aadhaar number can neither be guessed nor reverse engineered.

15. Whether a particular agency can provide reference key provisioning

as a central service to its Sub – AUAs

Since the AUAs are already obligated for the compliance of its Sub-AUAs and already
has all Aadhaar numbers of its Sub-AUAs as part of the transaction logs, AUAs may
provide reference provisioning as a central service to its Sub-AUAs. Access to mapping
databases / Aadhaar Data vault need to be on a need to know basis. Other risks of
providing reference key service as a central service need to be considered by the Sub-
AUA / AUA.

16. Can we use the same VM for business application & Aadhaar vault
application

The Aadhaar Data Vault containing Aadhaar number/data and the referencing system
must be kept in a highly restricted network zone that is isolated from any untrusted zone
and other internal network zones. Compliance with Circular No.K-11020/205/2017-
UIDAI (Auth-I) dated 25.07.2017 and Aadhaar act needs to be ensured.

17. Is it allowed to store Aadhaar Number in other systems than vault if

the system provides HSM level encryption for storage / usage of Aadhaar
Number

All entities / agencies are directed to mandatorily store Aadhaar Numbers and any
connected Aadhaar data (e.g. eKYC XML containing Aadhaar number and data) only on
a separate secure database/vault/system. Aadhaar numbers shall not be stored in any
other systems. If the agency wants to term the existing Database as Aadhaar Data vault
and can meet the other requirements of the Circular No.K-11020/205/2017-UIDAI
(Auth-I) dated 25.07.2017, such agency may do so. In that case the agency must ensure

Page 5 of 6
 Unique Identification Authority of India

that Aadhaar numbers are only stored on this database and removed from other
databases.

18. What is the nomenclature / convention to be followed for Unique

Reference Number Generation for Aadhaar

This is left to organization to choose nomenclature/convention as long as it ensure that

the recovery of the original Aadhaar number must not be computationally feasible
knowing only the reference key or number of reference keys.

19. As Aadhaar number is used for carrying out DBT transactions, AEPS
transactions etc., will the Aadhaar number will be continued to be used
while processing the transactions

Aadhaar number may be used wherever necessary to process the transactions, however
when the transaction related data or Aadhaar related data is stored, Aadhaar numbers
should not be stored in any other storage than Aadhaar Data Vault.

20. At the time of transaction processing the application will refer to

Aadhaar vault only to derive the account to which the amount is to be
credited or debited and the transaction will be carried out accordingly

The Aadhaar Data vault should ideally maintain only the mapping of Aadhaar numbers
and corresponding reference numbers. Hence any access to data vault (except for
maintenance purposes / Administration purposes) should only be to refer this mapping.

***********

Page 6 of 6