Atakama integration with Data Classification tools


There exist numerous data discovery & classification solutions. Atakama has been tested with many of these providers and integrates best with those that support either the .ip-labels classification file or our command-line-encrypt data flow.


1. Command-line-encrypt data integration (works with most providers).

One effective way to integrate Atakama with data classification is to install Atakama on the data-classification system's server.


Once installed, the network drives need to be connected as "back end locations" where files will reside using the storage tab. The locations can be either cloud or network/local.



If these locations are already protected by Atakama, the administrator of those locations will need to grant access to the classification machine. If this is not desired, a second factor key can be created, then the app removed and backup discarded. Future versions of Atakama will support write-only installations. See method #2 below.


The final step is to configure the data classification system to run this program when a file is classified and needs to be encrypted:


C:\ProgramFiles\Atakama\Atakama --protect %path%


Where "%path%" is the placeholder the data classification tool uses.


This will cause files to be encrypted as they are classified. Most data classification providers allow for a great deal of granularity when choosing exactly which files should be encrypted.


2. Flexible integration (works with some providers).

Some data classification providers allow writing a file containing a summary of classification information called “.ip-labels”, which stands for "Information Protection Labels". Ideally, these files should be read-only for all but the classification system itself.


In this setup, there is no need for the classification server to have an Atakama installation.


  • The format of the file is JSON, and must validate as valid JSON.

  • The file should be written to the root of any folder that contains labelled files.

  • The file must be hidden on Windows systems.

  • The file must be protected so that only administrators, or a suitably restricted group of network users, have access to write it.

  • The file should allow all users who have access to that location to read from it.


Example of an .ip-labels file:

    "run_start_time": "10/19/2020 17:05:01 (UTC-05:00) Eastern Time (US & Canada)",
      "run_guid": "6abff42d-16cd-4312-ab29-9451b2e838fe",
      "files": {
            "example_file_1": {
                  "labels": ["US SSN"],
                  "hash": "A634F1412E52CD3AB966EA47A2B6CD1C"
            "example_file_2.docx": {
                  "labels": ["Credit Cards", "US Drivers License"],
                  "hash": "17F15BAC04491499F13B929D3CE9F759"
            "example_file_3.xls": {
                  "labels": ["Legal Keywords", "Medical Diagnoses", "Passwords"],
                  "hash": "FCEB0ED43B1C4A45E4109F31EC561980"
            "example_file_4.ext": {
                  "labels": ["Legal Keywords"],
                  "hash": "9A50A1817C4B0ABA32B9699EFBA9033F"

Atakama will detect when this file is written, and immediately encrypt any files that have had new labels applied. The advantage here is that this works with any topology - Atakama can be running on users' workstations only (serverless), and the workstation will obey the .ip-labels file and encrypt the data.  


The Atakama software must have selective-encryption enabled. 


Field Specification:

  • files: (required) the keys are the names of the files, with extensions, the values are a dictionary of 

  • labels: (required) a list of utf8 label names

  • hash: (optional) md5sum of the file, used to validate that the labels file is recent / up-to-date

  • run_start_time: (optional) date/time, format unspecified, not used by our software

  • run_guid: (optional) unique id representing the latest processing initiative that produced the file format unspecified, not used by our software

  • signature: (optional) the ECDSA signature of the sorted, minified JSON contents, excluding the signature itself. The default curve used is SECP256K1, but other options are available. (Configurable via the enterprise config system)

3. Microsoft Information Protection Labels.

Atakama can be configured to recognize MSIP labels that have been embedded in Microsoft Office documents. MSIP labels, unfortunately, cannot be embedded in many non-office files.  


This is a viable solution for organizations that use Microsoft Office documents for sensitive information.


Simply configure the data classification system to embed MSIP labels, and Atakama will automatically detect and encrypt data that has been labeled.


For other embedded labels, such as EXIF labels or other custom formats, Atakama can be configured with a REGEX that recognizes these labels as well. There may be some complexity implementing this solution so we suggest contacting Atakama support.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.