Creating protection policy
To create a protection policy:
Open Application Data Protection.
In the left pane, click Protection Policies.
On the Protection Policies screen, click Add Protection Policy. The Create Protection Policy wizard is displayed. Follow the steps to complete the setup.
Step 1. Add General Info
On the General Info screen, following fields are displayed:
Name: Enter a unique name for the protection policy. It is a mandatory field.
Description: Describe the protection policy. It is an optional field.
Click Next to go to the Settings screen.
Step 2. Configure Settings
On the Settings screen, following fields are displayed:
Luhn: Turn on the toggle to protect the luhn-complaint data.
Note
Luhn check is only compatible with All digits character set (0-9) and FPE algorithms. It requires minimum 3 characters to perform crypto operations.
Algorithm: Select the desired algorithm from the following options: AES/ECB/PKCS5Padding, AES/ECB/NoPadding, AES/CBC/PKCS5Padding, AES/CBC/NoPadding, FPE/FF3-1, FPE/FF3, FPE/FF1v2, and FPE/AES.
To view the specifications of these algorithm, click here.
Below tabs display the fields applicable for the selected algorithms:
Random Nonce: Select the type of nonce to be used in the cryptographic operations. Possible options are: Internal (default), External, and Disable. More details on random nonce is available here.
IV: Specify the Initialization Vector (IV) to be used in cryptographic operations. It is an optional field.
When specifying the IV, be sure to consider the following points:
A 16-bytes (any UTF-8 character input) IV is required.
If IV is not provided, the default IV of the key is used.
For AES/ECB modes, IV field is not applicable.
Tweak Algorithm: Select the tweak algorithm to be used . Possible options are: SHA1, SHA256, NONE, and NULL. It is an optional field.
Tweak: Specify the tweak data to be used. To know the required size of tweak data for FPE and tweak algorithms, click here. It is only mandatory when tweak algorithm is SHA1, SHA256, and NONE.
IV: The IV should be specified as Hex-encoded value; where, each Hex value is represented by 2 characters. For FPE/AES, the IV length is dependent on the cardinality of the character set. To know the required IV length, click here. It is an optional field.
Tweak Algorithm: Select the tweak algorithm to be used. Possible options are: SHA1, SHA256, NONE, and NULL. It is an optional field.
Tweak: Specify the tweak data to be used. To know the required size of tweak data for FPE and tweak algorithms, click here. It is only mandatory when tweak algorithm is SHA1, SHA256, and NONE.
Tweak Algorithm: Select the tweak algorithm to be used . Possible options are: SHA1, SHA256, and NONE. It is an optional field.
Tweak: Specify the tweak data to be used. To know the required size of tweak data for FPE and tweak algorithms, click here. It is only mandatory when tweak algorithm is SHA1, SHA256, and NONE.
Tweak Algorithm: Select the tweak algorithm to be used . Possible options are: SHA1, SHA256, and NONE. It is an optional field.
Tweak: Specify the tweak data to be used. To know the required size of tweak data for FPE and tweak algorithms, click here. It is only mandatory when tweak algorithm is SHA1, SHA256, and NONE.
Prefix: Specify a user friendly name to help user identify the type of data being protected. The maximum allowed length for prefix is 7 characters and only All Printable ASCII characters are allowed. It is an optional field.
Disable Versioning: Select to make protection policy non-editable. In this case, only ciphertext is returned in the response.
Version Header: Select the location where version header will be stored. Possible options are: Internal and External. The default value is internal. Click here to know more.
For internal version header, version header is prepended to the ciphertext.
For external version header, version header is stored in a separate field.
Click Next to go to key selection screen.
Step 3. Select Key
Select the key to be used during protect and reveal. If the desired key doesn't exist, create one. It is a mandatory field.
Note
The selected key must be marked exportable on CipherTrust Manager. The client group associated with the application must have read, export, encrypt, and decrypt key access permissions. By default all applications created are tied to the Application Data Protection Clients group.
Click Next to go to character set selection screen.
Step 4. Select Character Set
This screen is only applicable for format preserving algorithms.
Select the character set to be used in protect and reveal. You can either use predefined or custom character set. If the desired character set doesn't exist, create one. It is a mandatory field.
Click Next to go to masking format selection screen.
Step 5. Select Masking Format
This screen is only applicable for format preserving algorithms.
Select the static masking format to be used in protect. You can either use predefined or custom static masking format. It is an optional field.
Click Next to go to access policy screen.
Step 6. Select Access Policy
Select the access policy to be associated with the protection policy. If the desired access policy doesn't exist, create a one. It is a mandatory field.
Click Next to go to review screen.
Step 7. Review
Verify the protection policy details. The Confirmation screen displays general details, settings, key, character set, masking format, and access policy.
If you want to modify any field, click Edit and update the details.
Click Create. A message Your protection policy is successfully created. Close the wizard to return to the protection policies page.
Close the wizard to return to the protection policies page.
Now, use this protection policy to protect, reveal, and reprotect data.
Important Notes
When a protection policy is created, it is assigned Version 1. The version number increments with each update.
If versioning is disabled, a protection policy can't be modified.
If versioning is disabled, only version 0 of a key can be used in cryptographic operations.
The versioning type selected while creating a protection policy can't be modified.
The name of the protection policy can't be modified.
