Managing Protection Policy
Protection policy defines a set of rules that govern the cryptographic operations. The protection policy includes entities such as algorithm, key, character set, access policy and so on.
Protection policy specifications
Supported key types
Symmetric AES keys are supported.
The keys must be marked exportable on the CipherTrust Manager.
The key used in the protection policy must be added to the Application Data Protection Clients Group with Read, Encrypt, Decrypt, and Export permissions.
Supported character set
For FPE, the Application Data Protection supports configurable character sets.
FPE requires minimumtwo characters from the character set to perform crypto operations.
Protection Policy versioning
When a protection policy is created, by default, Version1 is assigned to it. If the existing protection policy is modified, a new version of the protection policy is created with modified fields.
A prepended tagged ciphertext (Version header + Ciphertext) will be created when data is protected with versioned policies. This header version is used by connectors to retrieve the respective version of a particular protection policy. The advantage of the versioned policies is - online modification of protection policy can happen seamlessly by creating a new version of the protection policy.
The Application Data Protection supports following types of versioning:
Internal Version Header- also referred to as internal versioning. The version bytes are prepended to the ciphertext. This is the default versioning. For example, <version header bytes> <ciphertext>
External Version Header- also referred to as external versioning. The version details are stored in a separate parameter. For example:
<parameter name storing the version header bytes>
This field will vary according to the chosen connector type.
For DPG, this field is configured while creating DPG policy.
- Disable Versioning- if selected, the protection policy can't be modified. In such cases, only
Version 0of a key will be used to protect/reveal data. Use this option if you only want ciphertext and no information about the version bytes.
If a set of data is already encrypted with a protection policy, ensure to decrypt the data with the same protection policy.
The versioning type selected during the protection policy creation can't be modified.
In this article you will learn how to: