Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Operations

Rekey Examples

search

We're moving!

A new home for CipherTrust documentation will be introduced on December 02, 2025! Visit https://docs-cybersec.thalesgroup.com for a preview.

Please Note:

Rekey Examples

BDT can perform key rotation by re-encrypting the data using the new key. Key rotation can be done for both encryption and tokenization operations.

A REKEY policy consists of two parts. In fact, REKEY is just a container for two other following actions:

  1. The data is detokenized or decrypted using the existing key.

  2. The data is tokenized or encrypted using the new key.

The two actions within each REKEY action are defined using ENCRYPT, DECRYPT, TOKENIZE, and DETOKENIZE with the same parameters as you would use with each of these actions alone.

To know more about these parameters, refer to BDT Policy File.

The following example shows a sample configuration for a column rekey through CT-VL:

{
"name" : "column6",
"action" : "REKEY",
"config" : [ {
  "@type" : "TOKENIZE",
  "tokenGroup" : "group1",
  "tokenTemplate" : "abcedf9876543210",
  "action" : "DETOKENIZE"
}, {
  "@type" : "TOKENIZE",
  "tokenGroup" : "group2",
  "tokenTemplate" : "abcedf9876543210",
  "action" : "TOKENIZE"
} ]
}

The following example shows a sample configuration for a column rekey through BDT default crypto library:

{
"name" : "column6",
"action" : "REKEY",
"config" : [ {
  "@type" : "FPE",
  "key" : "rekey1",
  "characterSet":"digits",
  "tweak":"0102030405060708",
  "action" : "DECRYPT"
}, {
  "@type" : "FPE",
  "key" : "rekey2",
  "characterSet":"digits",
         "tweak":"0102030405060708",
  "action" : "ENCRYPT"
} ]
}

On this page