Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Tasks

Performing Initial Data Transformation for DPG Compatibility

search

Please Note:

Performing Initial Data Transformation for DPG Compatibility

CipherTrust Batch Data Transformation (BDT) performs the initial, one-time encryption of existing plaintext data to make it compatible with the CipherTrust Data Protection Gateway (DPG). This process uses a BDT policy file to encrypt the data with the same protection policy that DPG will use for ongoing operations.

Note

  • Initial encryption is needed only for the plaintext data.

  • Initial encryption is supported only through BDT policy file and not from BDT tile on CipherTrust Manager UI.

  • Initial encryption is supported only up to DPG version 1.2.0.

Steps for Initial Transformation of Data

  1. Create protection policy on CipherTrust Manager. Refer to the Creating Protection Policy for details.

  2. Create a BDT policy file using the same protection policy configurations defined in the previous step. Refer to the table below to map the attribute of BDT policy with the corresponding protection policy fields.

    Protection Policy FieldsBDT Policy Attributes
    Algorithm@type
    Key Namekey
    IViv
    Tweaktweak
    Tweak AlgorithmtweakAlgo
    Character SetcharacterSet
    VersionpolicyVersion

    Refer to the table below for algorithm name mappings between CipherTrust Manager and BDT policy file.

    Algorithm name on CipherTrust ManagerAlgorithm name in BDT Policy
    AES/CBC/PKCS5PaddingAES_CBC_PAD
    FPE/AESFPE_AES

    Following are the snippets of BDT policy for FPE_AES and AES_CBC_PAD respectively:

    BDT policy configuration for FPE_AES

        "config":[
                {
                "@type":"FPE_AES",
                "key":"key1",
                "tweak":"010ACD5B99F3C343",
                "characterSet":"alphanumeric",
                "policyVersion":1 /* Version of protection policy on ${cm} GUI to be used only for Initial Encryption of DPG. */
                }
            ]

    BDT policy configuration for AES_CBC_PAD

        "config" : [ 
                {
                "@type" : "AES/CBC/PKCS5Padding",
                "key" : "example_key",
                "iv" : "1234567812345678",
                "policyVersion" : 1 /* Version of protection policy on ${cm} GUI to be used only for Initial Encryption of DPG. */
                } 
            ]

  3. Run the transformation using the configured BDT policy. After the transformation is complete, DPG can process data using the existing protection policy created in the previous steps, or you may choose to create a new one.

Note

  • BDT reads the encryption properties and protection policy version information from the policy file.

  • A policyVersion parameter is used in the policy file to get version information of the protection policy.

  • Refer to BDT Policy File Attributes for the attribute details and Sample BDT Policy for the sample policy file.

On this page