Protection Profiles

Protection Profiles contain all information needed to perform a cryptographic operation, and they can be used to specify the encryption information for a specific input column in a BDT policy.

Creating a Protection Profile

1. Log on to the CipherTrust Manager as an administrator.

2. In the left pane, expand Data Protection and select Protection Profiles.

3. Click Create Protection Profile. The Create Protection Policy wizard is displayed.

4. Enter the following information:

   Field	Description
   Name	A user defined name for this Protection Profile. The name must be unique.
   Description	An optional description of the profile.

   When you are done, click Next. The Add Protection Method screen is displayed.

5. Select a protection method or click Create Protection Method. If you want to create a new protection method, click Create Protection Method. For details, see Creating a Protection Method.

6. Click Next. The Add Key screen is displayed.

7. Enter the following information:

   Field	Description
   Key Name	Click Select and select the name of the key that you want to use. If you need to create a new key, you can click Create a New Key on the Select Key page.
   Tweak	An optional 16-digit tweak for the encryption key.
   IV	An optional 32-digit initialization vector for the encryption key.

8. When you are done, click Next.

9. Review the Protection Profile settings and click Save when you are done.

Creating a Protection Method

1. Log on to the CipherTrust Manager as an administrator.

2. In the left pane, expand Data Protection and select Protection Methods.

3. Click Create Protection Method.

4. In the Name field, enter a name for the Protection Method. This name must be unique.

5. In the Algorithm Formatting field, select one of the following:

   • Format Preserving Encryption: If selected, BDT encrypts the input so that the output has the same format as the input. For example, if you encrypt a 16-digit number with this type of encryption formatting, the result will be another 16-digit number.

   • Non Format Preserving Encryption: If selected, BDT encrypts the input based on the specified key and does not match the input format when creating the output.

   The rest of the fields in this dialog box depend on the selected algorithm formatting.

6. If you selected Format Preserving Encryption as your algorithm formatting type, enter the following information. Otherwise, proceed to the next step.

   Field	Description
   Algorithm	The algorithm to use. This can be: • FPE (also called FF3) • FF1
   Character Set	The character set that will be encrypted by this profile. Thales provides the following default character sets: • Alphanumeric • All printable ASCII • All digits You can also make as many custom character sets as you need. For details, see Creating a Character Set.
   Keep Left	The number of characters to leave unencrypted, starting from the left. Enter 0 (zero) to encrypt all characters.
   Keep Right	The number of characters to leave unencrypted, starting from the right. Enter 0 (zero) to encrypt all characters.
   Prefix	The text to add to the beginning of the ciphertext output, if any.
   Suffix	The text to add to the end of the ciphertext output, if any.
   Allow small inputs	If this option is enabled, inputs containing 4 or fewer characters will be encrypted.
   Allow null or single character inputs	If this option is enabled, null or single-character inputs will be passed through to the output without being encrypted. If this option is not selected, the row transformation will fail. This option applies to FPE or FF1 algorithm encryption only. It is ignored if the Algorithm is set to Random.
   Irreversible	If this option is selected and the output is tokenized, the process is one-way and the output cannot be detokenized.
   Additional Params	Enter any additional parameters you want to include in this protection method using standard JASON formatting. For example: {"action":"decrypt","log":false}

7. If you selected Non Format Preserving Encryption as your algorithm formatting type, enter the following information. Otherwise, proceed to the next step.

   Field	Description
   Algorithm	The algorithm to use. This can be: • AES_CBC_PAD • AES_CTR • DESede (also called 3DES, Triple-DES, and DES-EDE)
   Mode	Only applicable if the Algorithm is set to DESede. This can be: • CBC (the default) • ECB
   Padding	Only applicable if the Algorithm is set to DESede. This can be: • NoPadding • PKCS5Padding
   Additional Params	Enter any additional parameters you want to include in this protection method using standard JASON formatting. For example: {"action":"decrypt","log":false}

8. When you are done, click Create.

Creating a Character Set

1. Log on to the CipherTrust Manager as an administrator.

2. In the left pane, expand Data Protection and select Character Sets.

3. Click Create Character Set and enter the following information:

   Field	Description
   Name	A user defined name for this character set. The name must be unique.
   Unicode Character Range	The Unicode characters included in this character set in HEX format. This field can contain a range of characters, a single Unicode character, or a comma-separated list consisting of any number of ranges and single characters. Examples: • Basic Latin: 0000-007F • Digits: 0031-0039 • Greek: 0370-03FF • Greek and all digits: 0E00-0E7F,0030-0039 • Greek and the single digit 9: 0E00-0E7F,0039 As you specify the range, a check mark icon next to the field label indicates that the entry uses valid HEX format. An exclamation mark icon indicates that the value is not valid HEX. You cannot create the character set unless you have a valid HEX expression in this field.

4. When you are done, click Create.