Creating protection policy
To create a protection policy:
Open Application Data Protection.
In the left pane, click Protection Policies.
On the Protection Policies screen, click Add Protection Policy.
On the Create Protection Policy screen, enter/select the following fields.
Field Description Name Unique name for protection policy. Luhn If enabled, protection policy is configured to protect luhn-compliant data. Luhn check is only compatible with All digits character set (0-9) and FPE algorithms. It requires minimum 3 characters to perform crypto operations on luhn data format.
Algorithm Algorithm to be used in the cryptographic operations. For a complete list, refer to Supported algorithms and their specifications. Key Key to be used in the cryptographic operations. Character Set Name of the character set. Refer to Creating Character Sets for details. Character set is only applicable for format preserving algorithms.
Access Policy Access policy to be associated with the protection policy. Access policies are sets of rules that define how the output will be revealed to application users. For more details, refer to Managing Access Policies. Masking Format Static masking format to be associated with the protection policy. For more details, refer to Managing Masking Formats. Tweak Algorithm Tweak algorithm to be used in cryptographic operations. It is only applicable for FPE algorithms.
Possible options are:
— SHA1
— SHA256
— NONE
— NULLFor FF3 variants, Tweak Algorithm can't be NULL. For the remaining FPE algorithms, Tweak Algorithm can be NULL.
Tweak Tweak data to be used in cryptographic operations.
For detailed information on the required tweak data size for FPE and tweak algorithms, refer to Tweak algorithm and tweak data compatibility details.IV Initialization vector to be used in cryptographic operations. IV is applicable and required for the following algorithms:
— AES/CBC/NoPadding: 16-bytes (any UTF-8 character input) IV
— AES/CBC/PKCS5Padding: 16-bytes (any UTF-8 character input) IV
— FPE/AES: The IV should be specified as Hex-encoded value; where, each Hex value is represented by 2 characters. For FPE/AES, the IV length is dependent on the cardinality of the character set. For details on the required IV length, refer to IV for FPE/AES.Prefix Specify a user friendly name to help user identify the type of data being protected. The maximum allowed length for prefix is 7 characters and only All Printable ASCII characters are allowed. Disable Versioning If selected, protection policy can't be updated and only ciphertext is returned in the response. Version Header Determines the location where version header will be stored.
Possible options are:
— Internal: version header is prepended to the ciphertext.
— External: The version header is stored in a separate field. For details, refer to Protection Policy Versioning.Click Create. A message stating, Protection Policy created successfully is displayed and the newly created policy is listed on the Protection Policies page.
Important Notes
When a protection policy is created, it is assigned Version 1. The version number increments with each update.
If versioning is disabled, a protection policy can't be modified.
If versioning is disabled, only version 0 of a key can be used in cryptographic operations.
The versioning type selected while creating a protection policy can't be modified.
The name of the protection policy can't be modified.
