Creating protection policy
To create a protection policy:
Open Application Data Protection.
In the left pane, click Protection Policies.
On the Protection Policies screen, click Add Protection Policy. The Create Protection Policy wizard is displayed. Follow the steps to complete the setup.
Note
The setup will slightly vary based on the type of algorithm used in the cryptographic operations (FPE and non-FPE).
c. Select Key
g. Confirmation
Add General Info
Specify a unique Name for the protection policy.
Add a description for protection policy.
Click Next to go to the Settings screen.
Configure Settings
On the Settings screen, configure the following fields.
Field Description Algorithm Algorithm to be used in the cryptographic operations. You can view the list supported algorithms here. Tweak Algorithm Tweak algorithm to be used in cryptographic operations. It is only applicable for FPE algorithms.
Possible options are:
— SHA1
— SHA256
— NONE
— NULLFor FF3 variants, Tweak Algorithm can't be NULL. For the remaining FPE algorithms, Tweak Algorithm can be NULL.
Tweak Tweak data to be used in cryptographic operations.
This field is mandatory if tweak algorithm is specified.
— If tweak algorithm is NONE, specify a 16-character HEX encoded string.
— If tweak algorithm is NULL, this field is not required.IV Initialization vector to be used in cryptographic operations. This field will appear on the UI if FPE/AES algorithm is selected.
For FPE/AES, IV is derived based on the character set length. To know how to calculate the required IV, click here.Prefix Specify a user friendly name to help user identify the type of data being protected. The maximum allowed length for prefix is 7 characters and only All Printable ASCII characters are allowed. Disable Versioning If selected, protection policy can't be updated and only ciphertext is returned in the response. Version Header Determines the location of version bytes.
Possible options are:
— Internal: version bytes are prepended to the ciphertext.
— External: version bytes are stored in a separate field. For details, click here.Click Next to go to the Select Key screen.
Select Key
Select the key form the available options. If the desired key is not found, click Create Key.
Click Next to go to the Select Character Set or Select Access Policy screen.
Select Character Set
Select the character set form the available options or click Create Character Set. Refer to Creating Character Sets for details.
Click Next to go to the Select Access Policy or Select Masking Format screen.
Select Masking Format
Select the Masking Format to be associated with the protection policy form the available options or click Create Masking Format. For more details, click here.
Click Next to go to Select Access Policy screen.
Select Access Policy
Select the Access Policy form the available options or click Create Access Policy. Refer to Managing Access Policy for details.
Click Next to go to the Confirmation screen.
Review
Verify the protection policy details. The Confirmation screen displays general details, settings, key, character set, masking format, and access policy.
If you want to modify any field, click Edit and update the details.
Click Create. A message, Your protection policy is successfully created. Close the wizard to return to the protection policies page. is displayed on the screen.
Click Close to exit the setup.
c. Select Key
g. Confirmation
Add General Info
Specify a unique Name for the protection policy.
Add a description for protection policy.
Click Next to go to the Settings screen.
Configure Settings
On the Settings screen, configure the following fields.
Field Description Algorithm Algorithm to be used in the cryptographic operations. You can view the list supported algorithms here. IV Initialization vector to be used in cryptographic operations. This field will appear on the UI if AES/CBC algorithm is selected.
For AES/CBC modes, a 16-byte IV is required. The value must be a HEX encoded string.Prefix Specify a user friendly name to help user identify the type of data being protected. The maximum allowed length for prefix is 7 characters and only All Printable ASCII characters are allowed. Disable Versioning If selected, protection policy can't be updated and only ciphertext is returned in the response. Version Header Determines the location of version bytes.
Possible options are:
— Internal: version bytes are prepended to the ciphertext.
— External: version bytes are stored in a separate field. For details, click here.Click Next to go to the Select Key screen.
Select Key
Select the key form the available options. If the desired key is not found, click Create Key.
Click Next to go to the Select Character Set or Select Access Policy screen.
Select Access Policy
Select the Access Policy form the available options or click Create Access Policy. Refer to Managing Access Policy for details.
Click Next to go to the Confirmation screen.
Review
Verify the protection policy details. The Confirmation screen displays general details, settings, key, and access policy.
If you want to modify any field, click Edit and update the details.
Click Create. A message, Your protection policy is successfully created. Close the wizard to return to the protection policies page. is displayed on the screen.
Click Close to exit the setup.
Important Notes
Note
When a protection policy is created, Version 1 is assigned to that policy. The version is incremented with each updation.
If versioning is disabled, protection policy can't be modified.
For disabled versioning, only version "0" of a key can be used in cryptographic operations.
The versioning type, selected while creating a protection policy can't be modified.
The name of the protection policy can't be modified.
