Protection Policy Versioning Details
Protection policy versioning is the process of assigning a version number to each iteration of a protection policy. This process helps track changes and updates made to a protection policy.
A new version of the protection policy is created when it is modified. The protection policy versioning starts with Version 1
.
The advantage of the versioned policies is that protection policy can be modified without worrying about data, which is protected with older protection policy versions. The protect operation always uses the latest protection policy version and the reveal operation reveals data based on the protection policy version passed with the ciphertext.
The Application Data Protection supports following types of versioning:
Internal Version Protection Policy
When a protection policy is created as internal versioned, the version header is part of the ciphertext. A prepended tagged ciphertext (Version header + Ciphertext) will be created when data is protected with versioned policies. This version header is used by connectors to retrieve the respective version of a particular protection policy.
For example,
1001000B1E06A7C20585E0F5A13233953B4971D
, here1001000
is the version header andB1E06A7C20585E0F5A13233953B4971D
is the ciphertext.Refer to Version Header Structure for details on the version header.
External Version Protection Policy
When a protection policy is created as external versioned, the version header is not part of the ciphertext. In external version protection policy, the version details are stored in a different column/field. This field will vary according to the chosen connector type and its configurations.
Refer to Version Header Structure for details on the version header.
Disable Version Protection Policy
A disabled version protection policy is the policy without the version header. If Disable Versioning is selected, the protection policy cannot be modified. In such cases, only
Version 0
of a key will be used to protect/reveal data. Use this option if you want ciphertext only and no information about the version bytes.
Note
If a set of data is already encrypted with a protection policy, ensure to decrypt the data with the same protection policy.
The versioning type selected during the protection policy creation cannot be modified.
Version Header Structure
The version header is always a 7-digit value. It ranges from 1001000
to 1999999
. A new version of the protection policy is created when it is modified.
Version Header Example | Digit | Description |
---|---|---|
1001000 | 1 | Specifies the version tag. As of now, the version tag is always 1. |
1001000 | 2-4 | Specifies version of the protection policy. It starts with Version 1 (001). |
1001000 | 5-7 | Specifies version of the key. |