BDT Policies
The Batch Data Transformation utility (BDT) provides a policy-based data transformation and re-key service. While you can create a local bdt.config
file that contains the required encryption information in different sections, you can also define BDT policies in CipherTrust Manager and then use those same policies wherever they are needed.
Creating a BDT Policy
Log on to the CipherTrust Manager as an administrator.
In the left pane, click Data Protection > BDT Policies.
Click Create BDT Policy. The Create BDT Policy wizard is displayed.
Enter the following information:
Field Description Name A user defined name for this BDT policy. The name must be unique. Description An optional description of the policy. FPE Mode If you are using Format-Preserving Encryption (FPE), enter the FF3-encoding mechanism you want to use. The options are:
•ASCII
: The default encryption mode. ASCII supports only ASCII characters and is faster than UTF
•UTF
: Required when using FPE to encrypt Unicode characters.
NOTE: The ASCII encryption mode is separate from ASCII character encoding.In Place Update Applies only if the source container points to a database.
Enable this option if you want BDT to transform the data in place instead of specifying a different destination to hold the transformed data. If you enable this option, BDT transforms the data directly in the source database table and CipherTrust Manager does not display the Add Destination page in the wizard.
If you do not enable this option, you can specify any container as the destination on the Add Destination wizard page.
NOTE: If you enable this option and you also specify a destination table on the Data Transformation page of this wizard, the destination table is ignored.Create Bad Record File Enable this option if you want BDT to create a .failed file that contains information about the input records that could not be transformed. When you are done, click Next. The Add Source screen is displayed.
Select the container that specifies the database or file that you want to transform. If you want to create a new container, click Create Container. For details, see BDT Containers.
When you are done, click Next.
If you selected the In Place Update option on the General Info screen, proceed to the next step. Otherwise, on the Add Destination screen, select the container that specifies the database or file into which you want BDT to write the transformed data. If you want to create a new container, click Create Container. For details, see BDT Containers.
Note
If you want BDT to write the transformed data to a new table in the source database, the Source and Destination containers should be the same. You will be able to specify the destination table name in the next step.
When you are done, click Next. The Data Transformation screen is displayed.
Click Create Table and enter the following information.
You must create a table even if you are using a CSV file or a fixed length file as the input. For these entities, the Source Table name field should be left blank.
Note
This step only specifies the database table names. You will specify the columns you want to use later in this procedure.
Field Description Source Table If the source container points to a database, enter the name of the database table containing the columns that you want to transform.
If the source container points to a CSV file or a fixed length file, leave the Source Table field blank.Destination Table Applies only when the In Place Update option is not enabled. If that option is enabled, BDT ignores this field.
If the destination container points to a database, enter the name of the database table into which you want BDT to write the results of the transformation process. If you want BDT to create the destination table for you, enable the Create Destination Table option.
If the destination container points to a CSV file or a fixed length file, leave the Destination Table field blank.In Place Error Specifies what to do when the In Place Update transformation option is selected and some records fail the transform process. The options are:
•rollback
: Roll back all changes. The source table returns unchanged to its initial state.
•commit
: Update the source column with transformed values and replace any failed records with either null or plain text depending on the value selected in the Error Placeholder field.
•exit
: Keeps source table as it is, with some values already transformed. This allows you to resolve the cause of the failure and restart the transformation (with the-r
option).Error Placeholder This option applies only if In Place data transformation encounters an error and the In Place Error field is set to commit
. The options are:
•NULL
: Sets the record value to null if the transformation fails. Use caution when selecting this option, as the original plain text data will be lost.
•PLAIN_TEXT
: Retains the original record contents if transformation fails.Repeat the previous step to add any other database tables you want to add to this BDT policy.
When you are done specifying the tables, click Next.
Review the policy settings and click Save when you are done.
Now, specify the columns you want BDT to process. Refer to Specifying Columns to Process.
Specifying Columns to Process
To specify which columns you want BDT to process in the input database table, CSV file, or fixed length file:
On the BDT Policies page, click on the policy name.
In the Tables section, expand the table for which you want to add column information.
Click Create Column and enter the following information:
Field Description Name The name of the column. Action This can be ENCRYPT, DECRYPT, TOKENIZE, DETOKENIZE, or REKEY.
If you select REKEY, CipherTrust Manager displays two sections, one for the decryption of the existing data and one for the encryption of the same data with the new key.
Do not change the Action that is automatically selected in these sections.
When you specify the Decryption options, make sure they exactly match how the existing data is encrypted or the rekey operation will not succeed.Protection Profile The Protection Profile to use for this column. For details, see Protection Profiles. Token Template If you are using a CipherTrust Tokenization Server and you do not have a Protection Profile, you can use this field to specify a CTS template token. This option is only available if the Action is Tokenize, Detokenize, or Rekey.
NOTE: If you specify a Protection Profile and a Token Template, CipherTrust Manager ignores the Token Template and uses the Protection Profile.Token Group The CTS token group associated with the template specified in the Token Template field. This option is only available if the Action is Tokenize, Detokenize, or Rekey. Header The cipher header version for determining the key version. The supported header versions are: V1_5, V1_5_Base64, V2_1, and V2_7. Tweak Source Specifies a column in the source database or file that contains the tweak. This allows you to use a different tweak for each row.
If you specify a tweak source and a Protection Profile, this value overrides the tweak in the Protection Profile.IV Source Specifies a column in the source database or file that contains the IV (initialization vector). This allows you to use a different IV for each row.
If you specify an IV source and a Protection Profile, this value overrides the IV in the Protection Profile.Input Encoding Specifies how to decode input and create byte array from it. Valid options are BASE2, BASE16, BASE64, UTF8, UTF16LE, UTF16BE, UTF32LE, or UTF32BE.
NOTE: BASE2 is supported only with database Blob data type columns.Output Encoding Specifies how to encode output byte array to a string. Valid options are BASE16, BASE64, UTF8, UTF16LE, UTF16BE, UTF32LE, or UTF32BE. When you are done, click Create.
Repeat this step for any other columns you want BDT to process.