Please Note:

Encryption Key Versioning

Encryption key versioning allows developers to simplify their applications by requesting automated key version advances, changing the key material automatically (“rekeying,” or “rotation”), and placing the current version of the key in the header of the encrypted data.

Note

Versioned keys are supported when using Vormetric Data Security Manager (DSM) with Vormetric Application Encryption (VAE). Versioned keys are not supported:

With DESede encryption.
When using CipherTrust Application Data Protection (CADP-JCE) with the CipherTrust Manager as a key manager.

BDT detects the key version from the header that is prefixed with cipher text. Configure header version with the header table attribute along with with action configuration in the policy file. You can specify different header versions for different columns. Valid combinations are shown below:

Supported Header Versions per Encryption Mode

Header	AES_CBC_PAD	AES_CTR	FPE/FF1
v 1.5	Yes	No	No
v 1.5 Base 64	Yes	No	No
v 2.1	Yes	Yes	No
v 2.7	Yes	Yes	No

The following shows policy code for a versioned key:

"columns":[
    {
        "name":"COLUMN0",
        "action":"REKEY",
        "config":[
            {
                "@type":"AES_CTR",
                "action":"DECRYPT",
                "key":"bdtVersionKey",
                "iv":"010203040506070809100A0B0C0D0E0F",
                "header":"V2_1"
            },
            {
                "@type":"AES_CTR",
                "action":"ENCRYPT",
                "key":"bdtVersionKey",
                "iv":"010203040506070809100A0B0C0D0E0F",
                "header":"V2_7"
                }
            ]
        }
    ]

Suggest A Change

Encryption Key Versioning

Supported Header Versions per Encryption Mode

On this page