Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

BDT Administration

BDT Policies

search

Please Note:

printsuggest an editpdf paneldownload

BDT Policies

The Batch Data Transformation utility (BDT) provides a policy-based data transformation and re-key service. While you can create a local bdt.config file that contains the required encryption information in different sections, you can also define BDT policies in CipherTrust Manager and then use those same policies wherever they are needed.

copy link to clipboardCreating a BDT Policy

  1. Log on to the CipherTrust Manager as an administrator.

  2. In the left pane, click Data Protection > BDT Policies.

  3. Click Create BDT Policy. The Create BDT Policy wizard is displayed.

  4. Enter the following information:

    FieldDescription
    NameA user defined name for this BDT policy. The name must be unique.
    DescriptionAn optional description of the policy.
    FPE ModeIf you are using Format-Preserving Encryption (FPE), enter the FF3-encoding mechanism you want to use. The options are:
    ASCII: The default encryption mode. ASCII supports only ASCII characters and is faster than UTF
    UTF: Required when using FPE to encrypt Unicode characters.
    NOTE: The ASCII encryption mode is separate from ASCII character encoding.
    In Place UpdateApplies only if the source container points to a database.
    Enable this option if you want BDT to transform the data in place instead of specifying a different destination to hold the transformed data. If you enable this option, BDT transforms the data directly in the source database table and CipherTrust Manager does not display the Add Destination page in the wizard.
    If you do not enable this option, you can specify any container as the destination on the Add Destination wizard page.
    NOTE: If you enable this option and you also specify a destination table on the Data Transformation page of this wizard, the destination table is ignored.
    Create Bad Record FileEnable this option if you want BDT to create a .failed file that contains information about the input records that could not be transformed.

    When you are done, click Next. The Add Source screen is displayed.

  5. Select the container that specifies the database or file that you want to transform. If you want to create a new container, click Create Container. For details, see BDT Containers.

    When you are done, click Next.

  6. If you selected the In Place Update option on the General Info screen, proceed to the next step. Otherwise, on the Add Destination screen, select the container that specifies the database or file into which you want BDT to write the transformed data. If you want to create a new container, click Create Container. For details, see BDT Containers.

    Note

    If you want BDT to write the transformed data to a new table in the source database, the Source and Destination containers should be the same. You will be able to specify the destination table name in the next step.

    When you are done, click Next. The Data Transformation screen is displayed.

  7. Click Create Table and enter the following information.

    Note

    • You must create a table even if you are using a CSV file or a fixed length file as the input. For these entities, the Source Table name field should be left blank.

    • This step only specifies the database table names. You will specify the columns you want to use later in this procedure.

    FieldDescription
    Source TableIf the source container points to a database, enter the name of the database table containing the columns that you want to transform.
    If the source container points to a CSV file or a fixed length file, leave the Source Table field blank.
    Destination TableApplies only when the In Place Update option is not enabled. If that option is enabled, BDT ignores this field.
    If the destination container points to a database, enter the name of the database table into which you want BDT to write the results of the transformation process. If you want BDT to create the destination table for you, enable the Create Destination Table option.
    If the destination container points to a CSV file or a fixed length file, leave the Destination Table field blank.
    In Place ErrorSpecifies what to do when the In Place Update transformation option is selected and some records fail the transform process. The options are:
    rollback: Roll back all changes. The source table returns unchanged to its initial state.
    commit: Update the source column with transformed values and replace any failed records with either null or plain text depending on the value selected in the Error Placeholder field.
    exit: Keeps source table as it is, with some values already transformed. This allows you to resolve the cause of the failure and restart the transformation (with the -r option).
    Error PlaceholderThis option applies only if In Place data transformation encounters an error and the In Place Error field is set to commit. The options are:
    NULL: Sets the record value to null if the transformation fails. Use caution when selecting this option, as the original plain text data will be lost.
    PLAIN_TEXT: Retains the original record contents if transformation fails.

  8. Repeat the previous step to add any other database tables you want to add to this BDT policy.

    When you are done specifying the tables, click Next.

  9. Review the policy settings and click Save when you are done.

Now, specify the columns you want BDT to process. Refer to Specifying Columns to Process.

copy link to clipboardSpecifying Columns to Process

To specify which columns you want BDT to process in the input database table, CSV file, or fixed length file:

  1. On the BDT Policies page, click on the policy name.

  2. In the Tables section, expand the table for which you want to add column information.

  3. Click Create Column and enter the following information:

    FieldDescription
    NameThe name of the column.
    ActionThis can be ENCRYPT, DECRYPT, TOKENIZE, DETOKENIZE, or REKEY.
    If you select REKEY, CipherTrust Manager displays two sections, one for the decryption of the existing data and one for the encryption of the same data with the new key.
    Do not change the Action that is automatically selected in these sections.
    When you specify the Decryption options, make sure they exactly match how the existing data is encrypted or the rekey operation will not succeed.
    Protection ProfileThe Protection Profile to use for this column. For details, see Protection Profiles.
    Token TemplateIf you are using a CipherTrust Tokenization Server and you do not have a Protection Profile, you can use this field to specify a CTS template token. This option is only available if the Action is Tokenize, Detokenize, or Rekey.
    NOTE: If you specify a Protection Profile and a Token Template, CipherTrust Manager ignores the Token Template and uses the Protection Profile.
    Token GroupThe CTS token group associated with the template specified in the Token Template field. This option is only available if the Action is Tokenize, Detokenize, or Rekey.
    HeaderThe cipher header version for determining the key version. The supported header versions are: V1_5, V1_5_Base64, V2_1, and V2_7.
    Tweak SourceSpecifies a column in the source database or file that contains the tweak. This allows you to use a different tweak for each row.
    If you specify a tweak source and a Protection Profile, this value overrides the tweak in the Protection Profile.
    IV SourceSpecifies a column in the source database or file that contains the IV (initialization vector). This allows you to use a different IV for each row.
    If you specify an IV source and a Protection Profile, this value overrides the IV in the Protection Profile.
    Input EncodingSpecifies how to decode input and create byte array from it. Valid options are BASE2, BASE16, BASE64, UTF8, UTF16LE, UTF16BE, UTF32LE, or UTF32BE.
    NOTE: BASE2 is supported only with database Blob data type columns.
    Output EncodingSpecifies how to encode output byte array to a string. Valid options are BASE16, BASE64, UTF8, UTF16LE, UTF16BE, UTF32LE, or UTF32BE.

  4. When you are done, click Create.

  5. Repeat this step for any other columns you want BDT to process.

On this page