Concepts

Keys

A key is used to perform cryptographic operations on data . The key is created, stored, and managed on the CipherTrust Manager.

Data Migration

Data migration is the process of encrypting data, altering existing tables so that they can store the resulting ciphertext, and creating views and triggers so that the existing applications can seamlessly and automatically encrypt new data and request decrypted data when needed.

Multi Domain

When a domain is created and a user becomes part of domain, a user can access resources (such as keys and alias name) of domain. One user can be part of multiple domains and a user can switch between the domains. By default, root domain is created. A user who is part of a domain can view/access only the database connections created under that particular domain.

Creating a CipherTrust Manager User

To create a CipherTrust Manager user:

1. Log on to the CipherTrust Manager GUI.

2. Click Keys & Access Management to open the application.

3. Click the Users tab on the left. The Users page is displayed.

4. On the Users page, click Create New User.

   

5. On the Create a New User screen, enter the details and click Create.

Creating User Defined Group in CipherTrust Manager

To create a user defined group in CipherTrust Manager:

1. Log on to the CipherTrust Manager GUI.

2. Click Keys & Access Management to open the application.

3. Click the Groups tab in the left pane. A page with existing groups is displayed.

   

4. In the Create New Group field, enter the name of the group and click Add.

The newly created group appears in the list of groups.

Mapping CipherTrust Manager Users to Group

To map a CipherTrust Manager user to a group:

1. Log on to the CipherTrust Manager GUI.

2. Click Keys & Access Management to open the application.

3. Click the Groups tab in the left pane.

   

4. Click the group with which the CipherTrust Manager user is to be mapped.

5. From the list of available users, select the name of the user to be mapped to the group and click Add.

Mapping Key to Group

A key can be created and mapped to a group. A group can have various permissions such as encrypt and decrypt on a key. For more information, refer to the "Key Management Operations" chapter of the CipherTrust Manager XML Guide.

Mapping CipherTrust Manager User to Database User

The user mapping can be done using any of the following interfaces:

• API Playground

• Pdbctl Utility

• Using CipherTrust Manager's GUI

Setting Up Role Based Permission

The CipherTrust Manager allows its users to set the group policies (permissions) with keys (using the CDP client in remote mode only). The users associated with the group can perform encryption/decryption as per the permission set for the group. During encryption and decryption, CDP will behave as per the permissions set for the group.

This section explains how to map a database user to the CipherTrust Manager user which is also mapped to access policy set for a group. The group with encryption/decryption permission is mapped to a key.

For example, create two database users dbusr1 and dbsur2 and map them to the CipherTrust Manager user so that dbusr1 has only insert permission and dbusr2 has only select/delete data on the database tables.

Perform the following steps in the given order:

1. Create two users encUser and decUser. Refer to Creating a CipherTrust Manager User.

2. Create two groups encryptGroup and decryptGroup. Refer to Creating User Defined Group in CipherTrust Manager.

3. Map encUser to encryptGroup and decUser to decryptGroup. Refer to Mapping CipherTrust Manager Users to Group.

4. Create key and assign encrypt permissions to encryptGroup and decrypt permission to decryptGroup. Refer to Mapping Key to Group.

5. Create the database connection.

6. Map encUser to dbusr1 and decUser to dbusr2. After the mapping is done, dbusr1 will have only insert permission and dbusr2 will have only select/delete permissions on the database table.