Managing Protection Policy
Protection policy defines a set of rules that govern the cryptographic operations. The protection policy includes entities such as algorithm, key, and character set and so on.
Protection policy specifications
Supported key types
Symmetric AES keys are supported.
The keys must be marked exportable on the CipherTrust Manager.
Supported algorithms
FPE/AES
FPE/FF1v2
FPE/FF3
AES/CBC/NoPadding
AES/CBC/PKCS5Padding
AES/ECB/NoPadding
AES/ECB/PKCS5Padding
Supported character set
For FPE, the Application Data Protection supports configurable character sets.
Note
FPE requires minimumtwo characters from the character set to perform crypto operations.
Protection Policy versioning
When a protection policy is created, by default, Version1 is assigned to it. If the existing protection policy is modified, a new version of the protection policy is created with modified fields.
The Application Data Protection supports following types of versioning:
Internal Version Header- also referred to as internal versioning. The version bytes are prepended to the ciphertext. This is the default versioning. For example, <version header bytes> <ciphertext>
External Version Header- also referred to as external versioning. The version details are stored in a separate parameter. For example:
<ciphertext>
<parameter name storing the version header bytes>
This field will vary according to the chosen connector type.
For DPG, this field is configured while creating DPG policy.
- Disable Versioning- if selected, the protection policy can't be modified. In such cases, only
Version 0
of a key will be used to protect/reveal data. Use this option if you only want ciphertext and no information about the version bytes.
Note
If a set of data is already encrypted with a protection policy, ensure to decrypt the data with the same protection policy.
The versioning type selected during the protection policy creation can't be modified.
In this article you will learn how to: